W3 Total Cache WordPress plugin vulnerable to PHP command injection

WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
GitHub

w3-total-cache-api.php

define( 'W3TC_LINK_URL', 'https://www.w3-edge.com/wordpress-plugins/' ); define( 'W3TC_LINK_NAME', 'W3 EDGE, Optimization Products for WordPress' ); define( 'W3TC ...
GitHub

w3-total-cache-winnie/Extension_Swarmify_Widget_View_NotConfigured.php

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.

WordPress plugin with over a million installs may have a worrying security flaw - here's what we know

A critical WordPress plugin flaw allows threat actors to run arbitrary PHP commands, potentially taking over entire websites.