CVE-2013-2010: 
WordPress vulnerability analysis and mitigation

WordPress W3 Total Cache Plugin version 0.9.2.8 contains a Remote PHP Code Execution vulnerability. The vulnerability was discovered in April 2013 and affects WordPress installations using the W3 Total Cache plugin up to and including version 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable (Exploit DB).

The vulnerability stems from improper handling of certain macros such as 'mfunc', which allows arbitrary PHP code injection. The vulnerability requires a valid post ID to add malicious comments, and the 'A comment is held for moderation' option in WordPress must be unchecked for successful exploitation. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary PHP code on the affected system, potentially leading to complete compromise of the WordPress installation. This could result in unauthorized access to sensitive data, modification of website content, or use of the server for malicious purposes (Exploit DB).

The vulnerability was addressed in subsequent versions of W3 Total Cache by improving security for the mfunc functionality, which is now disabled by default and requires a security string for execution (OSS Security). Users should upgrade to a version newer than 0.9.2.8 to protect against this vulnerability.