CVE-2024-12365
published 2025-01-14CVE-2024-12365: The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in…
PriorityP355high8.5CVSS 3.1
AVNACLPRLUINSCCHILAN
EPSS
1.74%
74.8th percentile
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boldgrid | w3_total_cache | < 2.8.2 | 2.8.2 |
| boldgrid | w3_total_cache | <= 2.8.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires authenticated attacker with Subscriber-level access or above; monitor for low-privileged authenticated users triggering admin-plane functions in W3 Total Cache ↗
- →Detection focus: missing capability check on the `is_w3tc_admin_page` function — monitor for unauthorized calls to this function from non-admin roles ↗
- →Watch for SSRF-style outbound web requests originating from WordPress servers running W3 Total Cache ≤2.8.1, particularly to cloud instance metadata endpoints (e.g., 169.254.169.254) ↗
- →Monitor for abnormal cache service consumption or API limit exhaustion on sites running W3 Total Cache, which may indicate active exploitation for service abuse ↗
- ·Vulnerability affects all W3 Total Cache versions up to and including 2.8.1; version 2.8.2 contains the fix — verify installed version across all WordPress instances ↗
- ·Patch adoption is low — approximately 150,000 sites updated after the fix was released, leaving hundreds of thousands still vulnerable at time of reporting ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extension_ImageService_Plugin_Admin.php#L200https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L246https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L55https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L385https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L516https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L55https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Root_Loader.php#L269https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/UsageStatistics_Plugin_Admin.php#L10https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/UsageStatistics_Plugin_Admin.php#L94https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Util_Admin.php#L822https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/inc/options/common/footer.php#L49https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/inc/options/common/top_nav_bar.php#L217https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/w3-total-cache.php#L71https://www.wordfence.com/threat-intel/vulnerabilities/id/196e629f-7c77-4bcb-8224-305a0108b630?source=cve
2025-01-14
Published