Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw

News
By
published

Recently discovered flaw allows threat actors to access sensitive information

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)
  • Vulnerability was discovered in W3 Total Cache WordPress plugin, allowing for data exposure, and more
  • It affects all versions up to 2.8.2, which was released in response
  • Hundreds of thousands of WordPress websites are still vulnerable

W3 Total Cache, a popular website performance optimization WordPress plugin, reportedly carried a high-severity vulnerability which allowed attackers to access sensitive information, abuse service plan limits, and run unauthorized actions.

The vulnerability is tracked as CVE-2024-12365, and has a severity score of 8.5/10 (high). It occurs due to a missing capability check in a function, and affects all versions up to, and including, 2.8.1.

“This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications,” it was said on the National Vulnerability Database website.

WordPress and its plugins

The WordPress plugin repository states that W3 Total Cache has more than a million downloads, with less than half (42.8% running the latest version), meaning more than 500,000 websites could still be vulnerable.

The plugin’s vendor, BoldGrid, has released a fix with its version 2.8.2, and WordPress security project Wordfence urged all users to apply the fix immediately.

WordPress is the world’s most popular website builder platform, powering roughly half of all the websites on the internet.

As such, it is a popular target for cybercriminals, as well, but since the platform is relatively secure, threat actors are mostly focused on third-party plugins and themes, especially those with poor developer or community support.

W3 Total Cache is a powerful WordPress plugin designed to improve website performance by caching content, minimizing code, and optimizing server resources. It claims to be able to help reduce load times, enhance user experience, and improve SEO by integrating features like content delivery network (CDN) support and database caching.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.