Vulnerability was discovered in W3 Total Cache WordPress plugin, allowing for data exposure, and more

It affects all versions up to 2.8.2, which was released in response

Hundreds of thousands of WordPress websites are still vulnerable

W3 Total Cache, a popular website performance optimization WordPress plugin, reportedly carried a high-severity vulnerability which allowed attackers to access sensitive information, abuse service plan limits, and run unauthorized actions.

The vulnerability is tracked as CVE-2024-12365, and has a severity score of 8.5/10 (high). It occurs due to a missing capability check in a function, and affects all versions up to, and including, 2.8.1.

“This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications,” it was said on the National Vulnerability Database website.

WordPress and its plugins

The WordPress plugin repository states that W3 Total Cache has more than a million downloads, with less than half (42.8% running the latest version), meaning more than 500,000 websites could still be vulnerable.

The plugin’s vendor, BoldGrid, has released a fix with its version 2.8.2, and WordPress security project Wordfence urged all users to apply the fix immediately.

WordPress is the world’s most popular website builder platform, powering roughly half of all the websites on the internet.

As such, it is a popular target for cybercriminals, as well, but since the platform is relatively secure, threat actors are mostly focused on third-party plugins and themes, especially those with poor developer or community support.

W3 Total Cache is a powerful WordPress plugin designed to improve website performance by caching content, minimizing code, and optimizing server resources. It claims to be able to help reduce load times, enhance user experience, and improve SEO by integrating features like content delivery network (CDN) support and database caching.

Via BleepingComputer