Just in time for Christmas, it was announced on the full disclosure list a security (configuration/implementation) bug on W3 Total cache (W3TC), one of the most popular WordPress plugins.
The issue is connected to the way W3TC stores the database cache (in a public accessible directory). It can be used to retrieve password hashes and other database information.
By default the plugin will store the caches inside /wp-content/w3tc/dbcache/ and if you have directory listing enabled, anyone can browse to yoursite.com/wp-content/w3tc/dbcache/ and download them. The second issue is that even if you don’t have directory listing enabled, it is still possible to guess those directories/files in order to extract the database cache queries and results.
Full article at W3 Total Cache Implementation Vulnerability | Sucuri Blog.