Summary: A critical vulnerability in the W3 Total Cache plugin, used by over a million WordPress sites, could allow attackers to access sensitive information and perform unauthorized actions. Despite a patch being released, many sites remain unprotected, leaving them open to exploitation. The flaw, tracked as CVE-2024-12365, poses significant risks including Server-Side Request Forgery (SSRF) and information disclosure.
Threat Actor: Unknown | unknown
Victim: WordPress Users | WordPress Users
Keypoints :
- Vulnerability due to a missing capability check in the ‘is_w3tc_admin_page’ function.
- Exploitation requires only subscriber-level authentication, making it easy for attackers.
- Recommended action is to upgrade to W3 Total Cache version 2.8.2 to mitigate the risk.
- Real-world impact includes potential SSRF attacks and service abuse affecting site performance.
- Website owners are advised to limit plugin installations and consider using a web application firewall.