W3 Total Cache Plugin Vulnerability Exposes 1 Million WordPress Sites to Attacks
A critical bug in the W3 Total Cache plugin estimated to be installed on over a million WordPress websites has been discovered that could allow attackers to access a variety of information, including metadata on cloud-based applications.
The W3 Total Cache plugin uses multiple caching techniques to optimize your website speed, reduce load times, and improve overall SEO rankings.
The vulnerability is being tracked as CVE-2024-12365, and while the developer has released a fix in the latest version of the product, hundreds of thousands of sites will still need to install the patched variant.
Vulnerability details
Wordfence notes that the security issue stems from a missing capability check in the 'is_w3tc_admin_page' function in all versions up to the latest version 2.8.2. This bug allows access to the plugin's security nonce value and unauthorized actions. In theory, the vulnerability would be exploitable if the attacker were authenticated and had subscriber status, a condition that is easily met.
But the main risks that arise if CVE-2024-12365 is exploited include:
- Server-Side Request Forgery (SSRF): makes web requests that can potentially expose sensitive data, including version metadata of cloud-based applications
- Leaking information
- Service abuse: using caching service limits, affecting website performance and possibly increasing costs
In terms of the practical impact of this vulnerability, an attacker could use the website's infrastructure to forward requests to other services and use the information gathered to carry out further attacks.
The most drastic action affected users can take is to upgrade to the latest version of W3 Total Cache, version 2.8.2, to address the security vulnerability.
Download statistics from wordpress.org show that around 150,000 websites installed the plugin after the developer released the latest update, leaving hundreds of thousands of WordPress websites still vulnerable.
As a general recommendation, website owners should avoid installing too many plugins and remove those that are not really needed. Additionally, a web application firewall can be useful in this case, helping to identify and block exploit attempts.
You should read it
- How much does it cost to build a WordPress website?
- Anyone can create a small and simple website with these 10 websites
- 30 best free WordPress presentation plugins (2018)
- Wix and Wordpress - Which one is better?
- Why is WordPress free?
- 20 WordPress plugins for photo websites (2018)
- Instructions for creating websites with WordPress from A to Z (Part 1)
- Critical Vulnerability Discovered in 3 WordPress Plugins, Affects 84,000 Websites
May be interested
- 11 security tips for WordPress blogsin terms of technical nature, the need to do immediately after configuration, setting up wordpress blog is to ensure the level of security and security needed. in the following article, we will introduce you to 11 basic tips that can be applied in many situations to accomplish this ...
- Learn about Man-in-the-Middle attacks - ARP Cache spoofingin the first part of the series introducing some of the most commonly used mitm attacks, we will introduce you to arp cache spoofing, dns spoofing, hijacking (hijacking) attacks. session, ..
- More than 100,000 pages using Wordpress are infected with malwaremalware (malicious software, virus software) called soaksoak is said to be made by russian haker - infected on more than 100 thousand wordpress sites through a 3rd party plugin, the infection took place from last sunday.
- How to update URLs when moving WordPress sitesdo you want to update the url after moving your wordpress site? it's a headache to manually edit each article or page to replace the old urls.
- Learn about DNS Cache spoofing and DNS Cache poisoningdns cache is a file on your isp or computer, containing a list of ip addresses of frequently used web sites.
- Chinese hackers use Dropbox, WordPress attacks Southeast Asiathe chinese cybercrime gang dnscalc has added dropbox and wordpress to the list of malware distribution tools. their goals are government-related individuals and organizations.
- Which platform is better for WordPress.com and WordPress.org?a commonly asked question is between wordpress.com and wordpress.org, which is the better platform. to help answer that question, today's article will conduct a comprehensive comparison of these two platforms
- 10 most popular WordPress errors and how to fix themfor a tool that owns 50 percent of the entire database management system (content management system - cms), wordpress has become its own standard. however, just like any other tool, you may encounter problems while using. some problems are caused by user error and some problems are caused by software, server, web host.
- Learn about the Gutenberg Editor of WordPressgutenberg is a new editor for wordpress, promising to completely replace the current editor tinymce.
- More than 1 million large websites are attacked?according to security expert dancho danchev, hackers are opening a 'total attack' campaign aimed at the internet, with the number of web sites being shot up to more than 1 million.