8.5

CVE-2024-12365

EPSS 13.15%
Published 14.01.2025 07:15:26
Last modified 16.01.2025 21:31:22
Source security@wordfence.com
Teams watchlist Login
Open Login

The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.

Affected products Warnungen 0 Metrics 2 CWE 1 References 17

Data is provided by the National Vulnerability Database (NVD)

Boldgrid ≫ W3 Total Cache SwPlatformwordpress Version < 2.8.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	13.15%	0.938

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@wordfence.com	8.5	3.1	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extension_ImageService_Plugin_Admin.php#L200

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L246

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L55

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L385

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L516

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L55

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Root_Loader.php#L269

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/UsageStatistics_Plugin_Admin.php#L10

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/UsageStatistics_Plugin_Admin.php#L94

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Util_Admin.php#L822

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/inc/options/common/footer.php#L49

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/inc/options/common/top_nav_bar.php#L217

Patch

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/w3-total-cache.php#L71

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/196e629f-7c77-4bcb-8224-305a0108b630?source=cve

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-12365

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-12365

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-12365

EUVD