CVE-2012-6077
published 2019-11-22CVE-2012-6077: W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve password hash information due to insecure storage of database cache files.
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
5.38%
91.7th percentile
W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve password hash information due to insecure storage of database cache files.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boldgrid | w3_total_cache | < 0.9.2.5 | 0.9.2.5 |
| w3 | total_cache | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/w3tc/dbcache/
- →HTTP GET request to /wp-content/w3tc/dbcache/ returning status 200 with directory listing indicators ('Index of', 'Parent Directory') confirms exposed database cache files.
- →FOFA query can be used to identify internet-exposed WordPress instances with W3 Total Cache dbcache directory references in page body.
- ·Vulnerability is only exploitable when database caching to disk is enabled in W3 Total Cache; the exposed files contain raw SQL query results including password hashes, emails, and user details.
- ·Affected versions are W3 Total Cache before 0.9.2.5; exploitation requires the dbcache directory to lack proper access controls (e.g., no .htaccess deny rule or equivalent). ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress W3 Total Cache - Cache Files Exposure
nuclei·CVSS 7.5
[HIGH] WordPress W3 Total Cache - Cache Files Exposure
WordPress W3 Total Cache - Cache Files Exposure
Detects publicly accessible W3 Total Cache database cache files in the wp-content/w3tc/dbcache/ directory. When database caching to disk is enabled, these files contain raw SQL query results, potentially exposing sensitive data such as user details, password hashes, emails, or other database content if the directory is not properly protected.
Template:
id: wp-w3-total-cache-exposure
info:
name: WordPress W3 Total Cache - Cache Files Exposure
author: pussycat0x
severity: high
description: |
Detects publicly accessible W3 Total Cache database cache files in the wp-content/w3tc/dbcache/ directory. When database caching to disk is enabled, these files contain raw SQL query results, potentially exposing sensitive data such as user details, pas
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2012/12/30/3https://security-tracker.debian.org/tracker/CVE-2012-6077https://www.acunetix.com/vulnerabilities/web/wordpress-w3-total-cache-plugin-predictable-cache-filenames/https://www.checkpoint.com/defense/advisories/public/2013/cpai-24-oct2.htmlhttps://www.w3-edge.com/weblog/2013/01/security-w3-total-cache-0-9-2-4/http://www.openwall.com/lists/oss-security/2012/12/30/3https://security-tracker.debian.org/tracker/CVE-2012-6077https://www.acunetix.com/vulnerabilities/web/wordpress-w3-total-cache-plugin-predictable-cache-filenames/https://www.checkpoint.com/defense/advisories/public/2013/cpai-24-oct2.htmlhttps://www.w3-edge.com/weblog/2013/01/security-w3-total-cache-0-9-2-4/
2019-11-22
Published