- Vulnerability Discovered in WordPress W3 Total Cache Plugin, Allowing Data Exposure and More
- It affects all versions up to 2.8.2, which was released in response.
- Hundreds of thousands of WordPress websites remain vulnerable
W3 Total Cache, a popular WordPress plugin for optimizing website performance, reportedly had a high severity vulnerability that allowed attackers to access sensitive information, abuse service plan limits, and execute unauthorized actions.
The vulnerability is tracked as CVE-2024-12365 and has a severity score of 8.5/10 (high). It occurs due to a missing capability check in a feature and affects all versions up to and including 2.8.1.
“This makes it possible for authenticated attackers, with subscriber-level access and above, to obtain the nonce value of the plugin and perform unauthorized actions, resulting in information disclosure, service plan limiting consumption, and making web requests. to arbitrary locations originating from the web. application that can be used to query information from internal services, including metadata of instances in cloud-based applications,” the National Vulnerability Database website said.
WordPress and its plugins
The WordPress plugin repository claims that W3 Total Cache has over a million downloads, with less than half (42.8% running the latest version), meaning over 500,000 websites could still be vulnerable.
The plugin provider, BoldGrid, released a fix with its version 2.8.2, and the WordPress security project, Wordfence, urged all users to apply the fix immediately.
WordPress is the most popular website building platform in the world, powering approximately half of all websites on the Internet.
As such, it is also a popular target for cybercriminals, but as the platform is relatively secure, threat actors mainly focus on third-party plugins and themes, especially those with little developer or community support.
W3 Total Cache is a powerful WordPress plugin designed to improve website performance by caching content, minimizing code, and optimizing server resources. It claims to be able to help reduce loading times, improve user experience, and improve SEO by integrating features like content delivery network (CDN) support and database caching.
Through beepcomputer
