CVE-2024-12314
Published: 18 February 2025
Description
The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin storing HTTP headers in the cached data. This makes it possible for unauthenticated attackers to poison the cache with custom HTTP headers that may be unsanitized which can lead to Cross-Site Scripting.
Security Summary
CVE-2024-12314 is a cache poisoning vulnerability affecting the Rapid Cache plugin for WordPress in all versions up to and including 1.2.3. The issue stems from the plugin storing HTTP headers in cached data without proper sanitization, enabling attackers to inject custom headers into the cache. Published on 2025-02-18, this flaw carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is linked to CWE-524 and NVD-CWE-Other.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted HTTP requests containing malicious headers, they can poison the site's cache, causing subsequent visitors to receive responses with unsanitized headers that facilitate cross-site scripting (XSS) attacks. The changed scope (S:C) in the CVSS vector indicates potential impact across security boundaries, with low confidentiality and integrity effects but no availability disruption.
Advisories from Wordfence and the plugin's WordPress.org page provide further details on this vulnerability. Security practitioners should consult these resources—https://www.wordfence.com/threat-intel/vulnerabilities/id/72b777ac-1870-4588-82fe-da96a784ec81?source=cve and https://wordpress.org/plugins/rapid-cache/—for patch information and recommended mitigation steps.
Details
- CWE(s)