CVE-2024-12008 – The W3 Total Cache WordPress plugin exposes deb... (How to Fix)

Q: What is the severity of CVE-2024-12008?

CVE-2024-12008 has a CVSS score of 5.3 (MEDIUM). The W3 Total Cache WordPress plugin exposes debug log files publicly when debug mode is enabled, allowing unauthenticated attackers to view potentially sensitive information like nonce values. This affects all versions up to 2.8.1, but only impacts sites where debug mode is enabled (disabled by default).

📋 TL;DR

The W3 Total Cache WordPress plugin exposes debug log files publicly when debug mode is enabled, allowing unauthenticated attackers to view potentially sensitive information like nonce values. This affects all versions up to 2.8.1, but only impacts sites where debug mode is enabled (disabled by default).

💻 Affected Systems

Products:

W3 Total Cache WordPress Plugin

Versions: All versions up to and including 2.8.1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when debug mode is enabled (disabled by default).

📦 What is this software?

W3 Total Cache by Boldgrid

View all CVEs affecting W3 Total Cache →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain nonce values and execute CSRF attacks to perform administrative actions, potentially compromising the WordPress site.

🟠

Likely Case

Attackers access debug logs containing sensitive configuration data, API keys, or user information that could aid further attacks.

🟢

If Mitigated

No impact if debug mode is disabled or plugin is patched/removed.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple directory traversal or direct URL access to debug log files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.2

Vendor Advisory: https://wordpress.org/plugins/w3-total-cache/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find W3 Total Cache and click 'Update Now'. 4. Verify version is 2.8.2 or higher.

🔧 Temporary Workarounds

Disable Debug Mode

all

Turn off debug logging in W3 Total Cache settings

Block Access to Debug Files

linux

Add .htaccess rule to block access to debug log files

<Files "debug.log">
  Order Allow,Deny
  Deny from all
</Files>

🧯 If You Can't Patch

Disable W3 Total Cache plugin entirely
Implement web application firewall rules to block access to debug log paths

🔍 How to Verify

Check if Vulnerable:

Check if debug.log is accessible at /wp-content/w3tc-config/debug.log or similar paths

Check Version:

wp plugin list --name=w3-total-cache --field=version

Verify Fix Applied:

Verify plugin version is 2.8.2+ and debug.log is no longer publicly accessible

📡 Detection & Monitoring

Log Indicators:

HTTP 200 requests to debug.log files
Unusual access to w3tc-config directory

Network Indicators:

GET requests to /wp-content/w3tc-config/debug.log

SIEM Query:

url:*/w3tc-config/debug.log AND status:200

📊 Metadata

CVE ID: CVE-2024-12008

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 37.77% exploit probability (97.1th percentile)

Published: January 14, 2025

Last Updated: January 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12008, you might also want to check these: