FrenchEnglish

A critical flaw in W3 Total Cache

By

LRob

|

|

Les équipes de WordFence (un plugin de sécurité WordPress) nous ont remonté une faille de sécurité CVE-2024-12365, de criticité CVSS 8.5/10. Qu’est-ce que W3 Total Cache ? W3 Total Cache est un plugin de cache sérieux, performant et hautement personnalisable, que nous recommandons chaudement. Utilisé par plus d’un million de sites, il se distingue par…

[rank_math_breadcrumb]

The WordFence team (a WordPress security plugin) has reported a security vulnerability to us. CVE-2024-12365, CVSS criticality 8.5/10.

What is W3 Total Cache?

W3 Total Cache is a serious, high-performance and highly customizable caching plugin that we warmly recommend. Used by over a million sites, it stands out for its reliability, extensive settings and Redis cache support.

What is the risk of this flaw?

The plugin W3 Total Cache for WordPress presents an unauthorized data access vulnerability due to the lack of capability checking in the is_w3tc_admin_page in all versions up to and including 2.8.1. This vulnerability allows authenticated attackers with access to the Subscriber or higher, to obtain the plugin's nonce value and execute unauthorized actions. This can lead to :

  • Disclosure of information Attackers can access sensitive data.
  • Consumption of service plan limits Overloaded resources can lead to service interruptions and increased costs.
  • Web requests to arbitrary locations Attackers can trick the web application into making requests to internal services, including the retrieval of instance metadata in cloud-based environments.

These actions exploit the vulnerability to compromise the confidentiality, resources and internal services of the applications concerned. In short, it can enable a website to be hacked.

How big is the impact?

Over 1 million sites affected, including dozens hosted by LRob.

Which versions are affected?

All versions up to and including 2.8.1 are affected. The first patched version is 2.8.2.

How did LRob deal with the problem?

90% of affected sites are automatically updated by the web server, which means that sites are automatically secured within 24 hours of the patch being made available.

As the flaw was revealed on January 15, we were alerted the same day in the afternoon, and manually updated sites on the morning of January 17.

This had no negative impact on LRob.

To benefit from this privileged attention for your WordPress site,
host your site with LRob!

Choose my accommodation

Leave a Reply

Catégories

Derniers Articles

Web hosting

Succeed on the web

Safety, performance, simplicity.
The best tools to serve you.

Voir les hébergements

Nextcloud hosting

Nextcloud

The best free collaborative suite

Maintenance included

Read more

Webmaster Spécialiste WordPress

Gestion de site web WordPress

Webmaster WordPress specialist in Orleans

Entrust your site to a WordPress security and maintenance expert

Choose my WordPress webmaster

Réparation de sites WordPress piratés

angry-hacker-pirate

Votre site WordPress est piraté ?

Réparation et sécurisation durable de votre site WordPress.

Hack WordPress repair

Derniers Articles