wordpress

W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks

Teilen:

A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps.

The W3 Total Cache plugin uses multiple caching techniques to optimize a website’s speed, reduce load times, and generally improve its SEO ranking.

The flaw is tracked as CVE-2024-12365 despite the developer releasing a fix in the latest version of the product, hundreds of thousands of websites have still to install the patched variant.

Vulnerability details

Wordfence notes that the security issue is due to a missing capability check in the ‘is_w3tc_admin_page’ function in all versions up to the latest one, 2.8.2. This fault allows access to the plugin’s security nonce value and perform unauthorized actions.

Exploiting the vulnerability is possible if the attacker is authenticated and has at least subscriber-level, a condition that is easily met.

The main risks that arise from the exploitation of CVE-2024-12365 are:

  • Server-Side Request Forgery (SSRF): make web requests that could potentially expose sensitive data, including instance metadata on cloud-based apps
  • Information disclosure
  • Service abuse: consume cache service limits, which impact site performance and can generate increased costs

Regarding the real-world impact of this flaw, attackers could use the website’s infrastructure to proxy requests to other services and use the collected information to stage further attacks.

The best action for impacted users is to take is to upgrade to the latest version of W3 Total Cache version, 2.8.2, which addresses the vulnerability.

Download statistics from wordpress.org indicate that roughly 150,000 websites installed the plugin after the developer released the most recent update, leaving hundreds of thousands of WordPress sites still vulnerable.

As a general recommendations, website owners should avoid installing too many plugins and discard the products that are not absolutely necessary.

Additionally, a web application firewall could prove beneficial as it could identify and block exploitation attempts.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
7:07 pm, Feb. 15, 2025
Wetter-Symbol 3°C
L: 3° | H: 5°
light rain
Luftfeuchtigkeit: 87 %
Druck: 1019 mb
Wind: 8 mph ESE
Windböe: 0 mph
UV-Index: 0
Niederschlag: 1 mm
Wolken: 75%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 7:14 am
Sonnenuntergang: 5:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
3° | 5°°C 1 mm 100% 7 mph 89 % 1019 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
2° | 4°°C 1 mm 100% 10 mph 91 % 1022 mb 0.24 mm/h
Mo. Feb. 17 9:00 pm
Wetter-Symbol
1° | 7°°C 0 mm 0% 7 mph 78 % 1022 mb 0 mm/h
Di. Feb. 18 9:00 pm
Wetter-Symbol
1° | 8°°C 0 mm 0% 8 mph 70 % 1022 mb 0 mm/h
Mi. Feb. 19 9:00 pm
Wetter-Symbol
4° | 10°°C 0 mm 0% 7 mph 94 % 1020 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
2° | 3°°C 1 mm 100% 7 mph 89 % 1019 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
2° | 2°°C 1 mm 100% 7 mph 91 % 1020 mb 0.24 mm/h
Tomorrow 3:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 6 mph 90 % 1019 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 6 mph 88 % 1020 mb 0 mm/h
Tomorrow 9:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 8 mph 80 % 1020 mb 0 mm/h
Tomorrow 12:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 10 mph 69 % 1021 mb 0 mm/h
Tomorrow 3:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 9 mph 64 % 1021 mb 0 mm/h
Tomorrow 6:00 pm
Wetter-Symbol
3° | 3°°C 0 mm 0% 8 mph 69 % 1021 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€92,990.30
-0.86%
Ethereum(ETH)
€2,576.10
-2.13%
XRP(XRP)
€2.65
-0.08%
Fesseln(USDT)
€0.95
-0.02%
Solana(SOL)
€185.67
-4.24%
USDC(USDC)
€0.95
0.01%
Dogecoin(DOGE)
€0.261826
-1.58%
Shiba Inu(SHIB)
€0.000015
-3.55%
Pepe(PEPE)
€0.000010
-5.73%
Nach oben scrollen