This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis โ
Q1What is this vulnerability? (Essence + Consequences)
๐จ **Essence**: Arbitrary File Read via `pub/sns.php`. ๐ **Consequences**: Attackers steal sensitive server files (e.g., `/etc/passwd`). ๐ฅ **Impact**: Full system info disclosure, potential credential theft.
Q2Root Cause? (CWE/Flaw)
๐ก๏ธ **Root Cause**: Improper input validation in `SubscriptionConfirmation` JSON. ๐ **Flaw**: The `SubscribeURL` field is not sanitized, allowing path traversal. ๐ **CWE**: Arbitrary File Read (implied by behavior).
๐ฃ **Exploit**: YES. ๐ **PoC**: Available on GitHub (Go & Python scripts). ๐ก **Scanner**: Nuclei templates exist. ๐ **Wild Exploitation**: Active scanning tools available.
Q7How to self-check? (Features/Scanning)
๐ **Check**: Scan for `pub/sns.php` endpoint. ๐ก **Tool**: Use Nuclei or custom Python/Go PoCs. ๐ **Test**: Request `/pub/sns.php` with malicious JSON payload. ๐ฉ **Flag**: Look for file content in response.
Q8Is it fixed officially? (Patch/Mitigation)
โ **Fixed**: YES. ๐ฆ **Patch**: Upgrade to **W3 Total Cache >= 0.9.4**. ๐ **Action**: Update plugin immediately via WordPress dashboard.
Q9What if no patch? (Workaround)
๐ง **Workaround**: Block access to `/pub/sns.php` via `.htaccess` or WAF. ๐ **Rule**: Deny requests containing `SubscriptionConfirmation`. ๐งฑ **Defense**: Restrict public access to plugin assets.
Q10Is it urgent? (Priority Suggestion)
๐ฅ **Priority**: HIGH. ๐ **Risk**: Critical info disclosure. โฑ๏ธ **Urgency**: Patch ASAP. ๐ก๏ธ **Note**: Easy to exploit, widely scanned.