Issue with caching searches and exploits

[michdud]

Hi there! I've got (I think) an issue similar to Automattic/wp-super-cache#655–people are testing exploits in our search bar, which then get cached. This would be fine (assuming the exploits don't work), except our hosting service takes down the site every time a search with suspected malware is cached.

The file is /home/tks/webapps/wpresdesign/wp-content/cache/meta/wp-cache-2fab3455e9ea525690ede99e18bbed32.php and the contents of the file are:

<?php die(); ?>{"headers":{"Vary":"Vary: Cookie","Last-Modified":"Last-Modified: Sat, 30 Mar 2019 04:21:58 GMT","Content-Type":"Content-Type: text\/html; charset=\"UTF-8\""},"uri":"www.theknoxstudent.com\/\/?s=index\/\\think\\template\\driver\\file\/write&cacheFile=robots1.php&content=xbshell?php%20@eval$_POST[admin];?","blog_id":"1","post":0,"key":"www.theknoxstudent.com80\/\/?s=index\/\\think\\template\\driver\\file\/write&cacheFile=robots1.php&content=xbshell<?php%20@eval($_POST[admin]);?>"}

To prevent the plugin from caching searches, would I include 's=' in the list of pages to exclude from caching? Or is there some other way to remove searches from the cache?

We should be using the latest version of this plugin.

(Also please do let me know if my assumptions are wrong about what's going on in this file, I'm not super familiar with PHP.)

[michdud]

Ok, this was much easier to figure out once I had access to the dashboard of my site again.

There's a setting on the dashboard under Settings -> WP Super Cache that allows you to turn off caching for search pages (discussion of how search pages are found is here).

[michdud]

I updated the settings as shown above, but the plugin still seems to still be caching search pages (e.g. /home/tks/webapps/wpresdesign/wp-content/cache/blogs/?s=index/meta/wp-cache-?s=index03ba1b26718027012006f2ca32a09308.php) . Is there any reason this should still be the case? Is there a way to fix this?