Login Sign Up

CVE-2013-2010

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in WordPress W3 Total Cache plugin allows remote attackers to execute arbitrary PHP code on affected servers. It affects WordPress sites using W3 Total Cache plugin version 0.9.2.8, potentially compromising the entire web server.

💻 Affected Systems

Products:
  • WordPress W3 Total Cache Plugin
Versions: 0.9.2.8
Operating Systems: All platforms running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable plugin version enabled.

📦 What is this software?

W3 Total Cache by Boldgrid

View all CVEs affecting W3 Total Cache →

Wp Super Cache by Automattic

View all CVEs affecting Wp Super Cache →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attacker to install backdoors, steal data, deface websites, or use server for further attacks.

🟠

Likely Case

Website defacement, data theft, malware installation, or use as part of botnet.

🟢

If Mitigated

Limited impact if proper network segmentation, file integrity monitoring, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication.
🏢 Internal Only: MEDIUM - Could be exploited if attacker gains internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available, trivial to execute with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.2.9 and later

Vendor Advisory: https://wordpress.org/plugins/w3-total-cache/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find W3 Total Cache. 4. Click 'Update Now' if available. 5. If not, download latest version from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable W3 Total Cache Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate w3-total-cache

Remove Plugin Files

linux

Completely remove the vulnerable plugin files.

rm -rf /path/to/wordpress/wp-content/plugins/w3-total-cache/

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block exploit attempts
  • Restrict file upload permissions and monitor for unauthorized PHP file creation

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > W3 Total Cache version. If version is 0.9.2.8, system is vulnerable.

Check Version:

wp plugin get w3-total-cache --field=version

Verify Fix Applied:

Verify plugin version is 0.9.2.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to wp-content/plugins/w3-total-cache/
  • Unexpected PHP file creation in cache directories
  • Web server error logs showing PHP execution errors

Network Indicators:

  • HTTP requests containing PHP code in parameters
  • Traffic patterns matching known exploit signatures

SIEM Query:

source="web_server_logs" AND (uri="*w3-total-cache*" AND (method="POST" OR params="*php*"))

📊 Metadata

CVE ID: CVE-2013-2010
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: February 12, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-2010, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)