27/68 Tuesday, January 21, 2025
A severe vulnerability has been identified in the widely-used WordPress plugin, W3 Total Cache, potentially allowing attackers to access sensitive internal service data and metadata on cloud applications. The vulnerability, designated as CVE-2024-12365, carries a CVSS severity score of 8.5. W3 Total Cache is a popular plugin for optimizing WordPress website performance, including enhancing speed and reducing server load. It is currently installed on over one million websites worldwide.
The vulnerability affects version 2.8.1 of the plugin and enables authenticated attackers (members or higher roles) to exploit it for various actions. These include accessing sensitive information such as the plugin’s nonce values, performing unauthorized operations, sending arbitrary requests within the web application, and retrieving metadata from cloud applications. The issue stems from insufficient capability checks in the is_w3tc_admin_page function, which allows attackers to perform unauthorized actions and gain access to sensitive data.
Patch Available: Act Immediately
WordPress has released a security patch in version 2.8.2 to address this vulnerability. However, many websites have yet to update, leaving them at risk of exploitation. Website administrators are strongly advised to check the version of W3 Total Cache they are using. If it is not yet upgraded to version 2.8.2, they should update immediately. Administrators should also back up their websites before updating to prevent any issues during the process.
This vulnerability highlights the critical importance of regularly updating plugins and software to mitigate risks of sensitive data breaches and system attacks. Neglecting updates can lead to severe consequences, such as data leaks and site damage. Website owners should consistently monitor security updates and follow cybersecurity best practices to safeguard their websites from potential threats.
Source https://securityaffairs.com/173219/security/w3-total-cache-wordpress-plugin-cve-2024-12365.html
