Security Risk: Dangerous
Exploitation level: Very Easy/Remote
DREAD Score: 8/10
Vulnerability: Persistent XSS
Patched Version:
1.4.4
Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.
When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.
An update for WP Super Cache was recently released to address a critical XSS security vulnerability. We recommend that you update the plugin as soon as possible.
Official Link:
https://wordpress.org/plugins/wp-super-cache/changelog/