Login Sign Up

CVE-2024-12365

8.5 HIGH
Authentication Bypass

📋 TL;DR

The W3 Total Cache WordPress plugin up to version 2.8.1 lacks proper capability checks, allowing authenticated users with Subscriber-level access or higher to obtain the plugin's nonce value. This enables unauthorized actions including information disclosure, service plan limit consumption, and arbitrary web requests that could query internal services like cloud instance metadata.

💻 Affected Systems

Products:
  • W3 Total Cache WordPress Plugin
Versions: All versions up to and including 2.8.1
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with W3 Total Cache plugin enabled are vulnerable. Requires at least Subscriber-level authenticated access.

📦 What is this software?

W3 Total Cache by Boldgrid

View all CVEs affecting W3 Total Cache →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could query internal cloud metadata services to obtain credentials, escalate privileges, move laterally within cloud environments, and potentially achieve full system compromise.

🟠

Likely Case

Information disclosure of plugin configuration and nonce values, unauthorized consumption of service plan limits, and ability to make arbitrary web requests from the vulnerable server.

🟢

If Mitigated

With proper network segmentation and cloud metadata service restrictions, impact limited to plugin configuration disclosure and unauthorized plugin actions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access but only Subscriber-level privileges. Exploitation involves crafting specific requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.2 or later

Vendor Advisory: https://wordpress.org/plugins/w3-total-cache/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find W3 Total Cache and click 'Update Now'. 4. Verify version is 2.8.2 or higher.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable W3 Total Cache plugin until patched

wp plugin deactivate w3-total-cache

🧯 If You Can't Patch

  • Restrict access to WordPress admin area using IP whitelisting or VPN
  • Implement web application firewall rules to block requests to vulnerable plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → W3 Total Cache version. If version is 2.8.1 or lower, system is vulnerable.

Check Version:

wp plugin get w3-total-cache --field=version

Verify Fix Applied:

After updating, verify W3 Total Cache version shows 2.8.2 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /wp-admin/admin.php with 'page=w3tc_extensions' or 'page=w3tc_general' parameters from Subscriber-level users
  • Multiple failed nonce validation attempts

Network Indicators:

  • Outbound requests from WordPress server to internal metadata services (169.254.169.254 for AWS, 169.254.169.254/metadata for Azure)

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND (query_string="*page=w3tc_*" OR query_string="*w3tc_nonce*")) AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2024-12365
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CWE: CWE-862
EPSS Score: 13.77% exploit probability (94.1th percentile)
Published: January 14, 2025
Last Updated: January 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12365, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)