Over a million WordPress sites exposed to attacks due to a flaw in the W3 Total Cache plugin
- A vulnerability has been discovered in the W3 Total Cache WordPress plugin that could expose data and more
- It affects all versions up to and including 2.8.2, which were released in response
- Hundreds of thousands of WordPress websites are still vulnerable
W3 Total Cache, a popular WordPress plugin for optimizing website performance, reportedly contained a high-severity vulnerability that could allow attackers to access sensitive information, abuse service plan limits, and perform unauthorized actions.
The vulnerability is tracked as CVE-2024-12365 and has a severity score of 8.5/10 (high). It occurs due to a missing capacity check in a function and affects all versions up to and including 2.8.1.
“This allows authenticated attackers, with access at the subscriber level and above, to obtain the plugin’s nonce value and perform unauthorized actions, resulting in information disclosure, the service plan limits consumption and making web requests to arbitrary locations originating from an internet application that can be used to request information from internal services, including instance metadata about cloud-based applications,” according to the National Vulnerability Database website.
WordPress and its plugins
The WordPress plugin repository states that W3 Total Cache has over a million downloads, with less than half of them (42.8% using the latest version), meaning over 500,000 websites could still be vulnerable.
The plugin’s vendor, BoldGrid, has released a fix in version 2.8.2, and the WordPress security project Wordfence has urged all users to apply the fix immediately.
WordPress is the world’s most popular website building platform, powering about half of all websites on the Internet.
As such, it is also a popular target for cybercriminals, but because the platform is relatively secure, threat actors mainly target third-party plugins and themes, especially those with poor developer or community support.
W3 Total Cache is a powerful WordPress plugin designed to improve website performance by caching content, minimizing code, and optimizing server resources. It claims to be able to help reduce load times, improve user experience, and improve SEO by integrating features such as Content Delivery Network (CDN) support and database caching.
Via BleepingComputer