A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress, affecting all versions up to and including 2.8.1.
This critical flaw cataloged as CVE-2024-12365, has a CVSS score of 8.5, categorizing it as a high-severity risk.
Discovered by security researcher villu164, the vulnerability allows authenticated attackers with Subscriber-level access and above to exploit weaknesses within the plugin’s functionality.
The core issue lies in the is_w3tc_admin_page function, which lacks proper capability checks. As a result, it enables attackers to access and exploit sensitive data, including potentially compromising the nonce value used by the plugin.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
This unauthorized access can lead to serious consequences, such as information disclosure, excessive consumption of service plan limits, and unauthorized web requests targeting arbitrary locations.
These requests could be utilized to query sensitive information from internal services, including instance metadata on cloud-based applications, thereby exposing critical system data to malicious actors.
The vulnerability was publicly disclosed on January 13, 2025, and has since raised alarms within the WordPress community.
Given the widespread use of the W3 Total Cache plugin—popular for its performance optimization features in WordPress sites—this vulnerability poses a significant risk to numerous websites.
Attackers can leverage this flaw to execute unauthorized actions, rendering even the lowest-level users (Subscribers) a potential threat vector.
To protect against this vulnerability, website administrators are strongly urged to take immediate action.
According to the Wordfence report, the W3 Total Cache plugin has been patched in version 2.8.2. Users should update to this version or any newer patched releases without delay to mitigate the risks posed by CVE-2024-12365.
The discovery of CVE-2024-12365 highlights the ongoing security challenges facing the WordPress ecosystem.
Administrators must remain vigilant and proactive in updating their software and managing user access to safeguard against potential exploits. By addressing this vulnerability swiftly, webmasters can protect their sites and sensitive data from unauthorized access.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
April 5, 2025 – Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…
A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…
A surge in phishing text messages claiming unpaid tolls has been linked to a massive…
The State Bar of Texas has confirmed a data breach following the detection of unauthorized…