W3 Total Cache WordPress plugin vulnerable to PHP command injection

WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
GitHub

w3-total-cache-api.php

define( 'W3TC_LINK_URL', 'https://www.w3-edge.com/wordpress-plugins/' ); define( 'W3TC_LINK_NAME', 'W3 EDGE, Optimization Products for WordPress' ); define( 'W3TC ...
GitHub

w3-total-cache-winnie/Extension_Swarmify_Widget_View_NotConfigured.php

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.