{"id":6257,"date":"2025-01-19T09:24:02","date_gmt":"2025-01-19T08:24:02","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=6257"},"modified":"2025-01-19T09:24:03","modified_gmt":"2025-01-19T08:24:03","slug":"a-critical-flaw-in-w3-total-cache","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/news\/une-faille-critique-dans-w3-total-cache\/","title":{"rendered":"A critical flaw in W3 Total Cache"},"content":{"rendered":"<p class=\"wp-block-paragraph\">The WordFence team (a WordPress security plugin) has reported a security vulnerability to us. <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-12365\" target=\"_blank\" rel=\"noopener\">CVE-2024-12365<\/a>CVSS criticality 8.5\/10.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is W3 Total Cache?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/wordpress.org\/plugins\/w3-total-cache\/\" target=\"_blank\" rel=\"noopener\">W3 Total Cache<\/a> is a serious, high-performance and highly customizable caching plugin that we warmly recommend. Used by over a million sites, it stands out for its reliability, extensive settings and Redis cache support.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is the risk of this flaw?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The plugin <strong>W3 Total Cache<\/strong> for WordPress presents an unauthorized data access vulnerability due to the lack of capability checking in the <code>is_w3tc_admin_page<\/code> in all versions up to and including 2.8.1. This vulnerability allows authenticated attackers with access to the <strong>Subscriber<\/strong> or higher, to obtain the plugin's nonce value and execute unauthorized actions. This can lead to :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Disclosure of information<\/strong> Attackers can access sensitive data.<\/li>\n\n\n\n<li><strong>Consumption of service plan limits<\/strong> Overloaded resources can lead to service interruptions and increased costs.<\/li>\n\n\n\n<li><strong>Web requests to arbitrary locations<\/strong> Attackers can trick the web application into making requests to internal services, including the retrieval of instance metadata in cloud-based environments.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These actions exploit the vulnerability to compromise the confidentiality, resources and internal services of the applications concerned. In short, it can enable a website to be hacked.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How big is the impact?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Over 1 million sites affected, including dozens hosted by LRob.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Which versions are affected?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">All versions up to and including 2.8.1 are affected. The first patched version is 2.8.2.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How did LRob deal with the problem?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">90% of affected sites are automatically updated by the web server, which means that sites are automatically secured within 24 hours of the patch being made available.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As the flaw was revealed on January 15, we were alerted the same day in the afternoon, and manually updated sites on the morning of January 17.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This had no negative impact on LRob.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To benefit from this privileged attention for your WordPress site,<br>host your site with LRob!<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\">Choose my accommodation<\/a><\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Les \u00e9quipes de WordFence (un plugin de s\u00e9curit\u00e9 WordPress) nous ont remont\u00e9 une faille de s\u00e9curit\u00e9 CVE-2024-12365, de criticit\u00e9 CVSS 8.5\/10. Qu&rsquo;est-ce que W3 Total Cache ? W3 Total Cache est un plugin de cache s\u00e9rieux, performant et hautement personnalisable, que nous recommandons chaudement. Utilis\u00e9 par plus d&rsquo;un million de sites, il se distingue par [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6258,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-6257","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/6257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=6257"}],"version-history":[{"count":1,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/6257\/revisions"}],"predecessor-version":[{"id":6259,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/6257\/revisions\/6259"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/6258"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=6257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=6257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=6257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}