More than 2 million WordPress-based websites use the cache plugin called WP Super Cache, one of the most popular on the platform, managed by Automattic, which owns WordPress itself.
The point is that they have discovered a remote code execution vulnerability, and it is recommended that all users update now, as the latest version has fixed the problem.
It was Automattic itself that discovered the vulnerability in WP Super Cache, a problem that could allow a hacker to upload and execute malicious code, usually with the intention of gaining control of the site.
Remote Authenticated Code Execution (RCE) often allows someone else to upload and run PHP code which can then install backdoors, access and make changes to the database, and become a site administrator.
For this to happen someone must first register on the web, something very common on sites where there is a registration section to gain access to private pages. Sometimes it is enough to have a subscriber level for the problem to be visible, so that any subscriber can become an administrator.
In the new Version 1.7.2 the authenticated RCE in the configuration page was corrected, so it is recommended to update it as quickly as possible, since the problem is being widely publicized among pages dedicated to hacking websites.
