WP Fastest Cache is a Wordpress plugin that creates static html files from the dynamic WordPress blog in order to speed up operation. Version 0.8.9.5 and below of the plugin was identified being vulnerable to directory traversal attacks. The first two are Windows only, the 3rd one is generic. The Windows specific ones were tested on WampServer (so with Apache's Httpd). #1: The impact is reading files outside of the cache directory. The attacker has control over the directory only, the file is selected as the first hit of the scandir results in descending order. curl --path-as-is http://vulnerable-host.tld/wpfc-minified/..\..\..\/stuff.php <?php /** * XML-RPC protocol support for WordPress * * @package WordPress */ ... #2: The cacheFilePath construction logic in cache.php can be abused to mount a similar attack as vuln #1 and read index.html files outside the cache directory: curl --path-as-is http://vulnerable-host.tld/..\..\..\/whatever.html\/.. some html content outside the cache directory <!-- via php --> #3: If the Google Translate plugin is active on the victim system then it is also possible to create index.html files outside the cache directory: curl -v --header "X-GT-LANG: ../../../.." http://vulnerable-host.tld/some-article/ In configurations where the html extension has higher precedence over php in the webserver's DirectoryIndex configuration, this could actually change the front page of the victim website. Remediation: update to plugin version 0.8.9.6 Imre