Over a Million Vulnerable WordPress Sites Due to a Flaw in the W3 Total Cache Plugin.
A newly discovered vulnerability allows malicious actors to access sensitive information.
A vulnerability has been detected in the W3 Total Cache plugin for WordPress, allowing for data exposure and more. This flaw affects all versions up to 2.8.2, which was released as a fix. It is estimated that there are still hundreds of thousands of WordPress websites that remain vulnerable.
W3 Total Cache, a well-known plugin for optimizing the performance of WordPress sites, presents a high-severity vulnerability that enables attackers to access sensitive information, abuse service plan limits, and execute unauthorized actions. This vulnerability is identified as CVE-2024-12365, with a severity score of 8.5 out of 10. The flaw is due to a lack of capability verification in one of its functions and affects all versions, including 2.8.1.
Authenticated attackers, with Subscriber level access or higher, can obtain the nonce value of the plugin and carry out unauthorized actions, leading to information disclosure and consumption of service limits, as well as making web requests to arbitrary locations that can be used to query information from internal services, including metadata of instances in cloud-based applications, as detailed on the vulnerability database website.
The WordPress plugin repository indicates that W3 Total Cache has been downloaded over a million times, but less than half (42.8%) are using the latest version, suggesting that over 500,000 websites could remain vulnerable. The plugin provider, BoldGrid, has released a fix with version 2.8.2, and the WordPress security project, Wordfence, has urged all users to apply this patch immediately.
WordPress is the most popular website creation platform in the world, powering approximately half of all web pages on the Internet. For this reason, it becomes a frequent target for cybercriminals. While the platform itself is relatively secure, attackers often focus on third-party plugins and themes, especially those with little support from developers or communities.
W3 Total Cache is a powerful plugin designed to enhance website performance by caching content, minimizing code, and optimizing server resources. It claims to reduce load times, improve user experience, and optimize SEO by integrating features such as support for content delivery networks (CDN) and database caching.
