Cyber Security News

W3 Total Cache Plugin Vulnerability Let Attackers Gain Unauthorized Access to Sensitive Data

A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress, affecting all versions up to and including 2.8.1.

This critical flaw cataloged as CVE-2024-12365, has a CVSS score of 8.5, categorizing it as a high-severity risk.

Discovered by security researcher villu164, the vulnerability allows authenticated attackers with Subscriber-level access and above to exploit weaknesses within the plugin’s functionality.

Description of the Vulnerability

The core issue lies in the is_w3tc_admin_page function, which lacks proper capability checks. As a result, it enables attackers to access and exploit sensitive data, including potentially compromising the nonce value used by the plugin.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

This unauthorized access can lead to serious consequences, such as information disclosure, excessive consumption of service plan limits, and unauthorized web requests targeting arbitrary locations.

These requests could be utilized to query sensitive information from internal services, including instance metadata on cloud-based applications, thereby exposing critical system data to malicious actors.

The vulnerability was publicly disclosed on January 13, 2025, and has since raised alarms within the WordPress community.

Given the widespread use of the W3 Total Cache plugin—popular for its performance optimization features in WordPress sites—this vulnerability poses a significant risk to numerous websites.

Attackers can leverage this flaw to execute unauthorized actions, rendering even the lowest-level users (Subscribers) a potential threat vector.

To protect against this vulnerability, website administrators are strongly urged to take immediate action.

According to the Wordfence report, the W3 Total Cache plugin has been patched in version 2.8.2. Users should update to this version or any newer patched releases without delay to mitigate the risks posed by CVE-2024-12365.

  1. Update the Plugin: Ensure that your W3 Total Cache plugin is updated to version 2.8.2 or later to eliminate the vulnerability.
  2. Monitor User Access Levels: Review the access levels of users within your WordPress site. Consider restricting access for users at the Subscriber level unless necessary.
  3. Conduct Security Audits: Regularly audit your website for vulnerabilities and ensure that all plugins and themes are up to date to minimize the risks.
  4. Utilize Security Plugins: Implement additional security measures through reputable security plugins to enhance the overall safety of your WordPress environment.

The discovery of CVE-2024-12365 highlights the ongoing security challenges facing the WordPress ecosystem.

Administrators must remain vigilant and proactive in updating their software and managing user access to safeguard against potential exploits. By addressing this vulnerability swiftly, webmasters can protect their sites and sensitive data from unauthorized access.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

2 Apple Zero-Day Vulnerabilities Actively Exploited in “Extremely” Sophisticated iOS Attacks

Apple has urgently rolled out iOS 18.4.1 and iPadOS 18.4.1 to patch two zero-day vulnerabilities…

1 hour ago

CISA Extend Funding to MITRE to Keep CVE Program Running

The Cybersecurity and Infrastructure Security Agency (CISA) has extended funding to the MITRE Corporation, ensuring…

3 hours ago

Windows Task Scheduler Vulnerabilities Allow Attackers Gain Admin Account Control

New vulnerabilities in Windows Task Scheduler's schtasks.exe let attackers bypass UAC, alter metadata, modify event…

3 hours ago

Windows NTLM Vulnerability (CVE-2025-24054) Actively Exploit in the Wild to Hack Systems

A critical vulnerability in Microsoft Windows, identified as CVE-2025-24054, has been actively exploited in the…

5 hours ago

Server-Side Phishing Attacks Target Employee and Member Portals to Steal Login Credentials

Attackers have been deploying server-side phishing schemes to compromise employee and member login portals across…

5 hours ago

Beware! Online PDF Converters Tricking Users into Installing Password-Stealing Malware

CloudSEK's Security Research team, a sophisticated cyberattack leveraging malicious online PDF converters has been demonstrated…

6 hours ago