CVE-2013-2009: 
WordPress vulnerability analysis and mitigation

WordPress WP Super Cache Plugin version 1.2 contains a remote PHP code execution vulnerability that was discovered in early 2013. The vulnerability allows remote attackers to execute arbitrary PHP code through specially crafted comments containing mfunc, mclude and dynamic-cached-content tags (OSS Security Mail).

The vulnerability exists due to insufficient filtering of user comments that contain special tags like mfunc, mclude and dynamic-cached-content. These tags were processed and executed by the plugin, allowing attackers to inject and execute arbitrary PHP code through comments. The issue was fixed in version 1.3 by adding filters to remove these tags from comments using the functions preprocess_comment, comment_text, comment_excerpt, and comment_text_rss (OSS Security Mail).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary PHP code on the affected system, potentially leading to complete compromise of the WordPress installation (OSS Security Mail).

The vulnerability was fixed in WP Super Cache version 1.3. Users should upgrade to version 1.3 or later immediately. The fix involves removing support for mfunc, mclude and dynamic-cached-content tags from comments through the implementation of multiple comment filters (OSS Security Mail).

The security community expressed concern about the WordPress plugin ecosystem's security practices, particularly regarding proper vulnerability disclosure and CVE assignment processes. Kurt Seifried from Red Hat's Security Response Team highlighted the need for better security handling within the WordPress community (OSS Security Mail).