RCE on attack-secure.com

More than a year ago, we reported a remote code execution bug to one of our fellow security researcher and trainer Mohamed Ramadan over at attack-secure.com

The website is based on Wordpress and it used the “w3-total-cache” plugin. Maybe you don’t remember anymore, but this plugin suffered a RCE bug (CVE-2013-2010) in all versions up to

That issue allowed attackers to execute PHP code by posting a comment of the following format:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

The code’s output will be displayed in the comment section.

Mohamed replied after a full week and rewarded us with his “The basics of ethical hacking” online course.


  • 23.09.2013: Initial report about the outdated plugin
  • 01.10.2013: Fix and reward

We’d like to thank Mohamed for the fix and the reward.

PS: You can find their whitehat security page here

The team of Internetwache.org