The WordFence teams (a WordPress security plugin) have pointed out a security flaw to us CVE-2024-12365, CVSS criticality 8.5/10.
What is W3 Total Cache?
W3 Total Cache is a serious, high-performance and highly customisable caching plugin that we highly recommend. Used by over a million sites, it stands out for its reliability, its many settings and its support for the Redis cache.
What is the risk of this flaw?
The plugin W3 Total Cache for WordPress presents a vulnerability to unauthorised access to data due to the lack of verification of capabilities in the is_w3tc_admin_page in all versions up to and including version 2.8.1. This vulnerability allows authenticated attackers with access to the Subscriber or higher, to obtain the nonce value of the plugin and execute unauthorised actions. This can lead to :
- Disclosure of information Attackers can access sensitive data.
- Consumption of service plan limits Overloaded resources can lead to service interruptions and increased costs.
- Web requests to arbitrary locations Attackers can trick the web application into making requests to internal services, including the retrieval of instance metadata in cloud-based environments.
These actions exploit the vulnerability to compromise the confidentiality, resources and internal services of the applications concerned. In short, this can enable a website to be hacked.
What is the scale of the impact?
Over 1 million sites affected, including dozens hosted by LRob.
Which versions are affected?
All versions less than or equal to 2.8.1 are affected. The first patched version is 2.8.2.
How did LRob deal with the problem?
90% of the affected sites are automatically updated by the web server, which means that the sites are automatically secured within 24 hours of the patch being made available.
As the flaw was revealed on 15 January, we were alerted to it the same day in the afternoon and manually updated sites on the morning of 17 January.
This has had no negative impact on LRob.
To benefit from this special attention for your WordPress site,
host your site with LRob!
Leave a Reply
You must be logged in to post a comment.