Over a million WordPress websites are at risk due to a high-severity vulnerability discovered in the popular W3 Total Cache plugin.
W3 Total Cache, a plugin used to boost website performance and improve search engine optimization, has been found to contain a critical security flaw (CVE-2024-12365) that could allow attackers to gain unauthorized access to sensitive data and even launch attacks on internal systems.
The vulnerability, assigned a CVSS score of 8.5, stems from a missing authorization check in the plugin’s code. This oversight allows authenticated users with minimal privileges (Subscriber level and above) to exploit the flaw and perform actions they shouldn’t be able to.
What are the potential consequences?
- Information Disclosure: Attackers can gain access to confidential data stored within the WordPress site.
- Resource Depletion: Attackers can consume the website’s service plan limits, potentially leading to service disruptions and increased costs.
- Server-Side Request Forgery (SSRF): Attackers can trick the website into making requests to internal services or cloud infrastructure, potentially exposing sensitive information or allowing for further attacks.
Who is at risk?
Any website using W3 Total Cache version 2.8.1 or earlier is vulnerable. Given the plugin’s popularity with over 1 million active installations, this represents a significant portion of the WordPress ecosystem.
What should you do?
Website owners using W3 Total Cache are strongly urged to update to the latest patched version (2.8.2) immediately. This update addresses the vulnerability and mitigates the associated risks.
Related Posts:
- WordPress Sites Under Widespread Attack – LiteSpeed Cache Plugin Exploit Puts Millions at Risk
- Critical Vulnerabilities in Bitdefender Total Security Expose Users to Man-in-the-Middle Attacks
- Total Meltdown (CVE-2018-1038) on Win 7/Server 2008 has not been completely resolved
- In 2017, GitHub paid $166,000 in Bug Bounties
