CVE-2024-12365
Published: 14 January 2025
Description
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.
Security Summary
CVE-2024-12365 affects the W3 Total Cache plugin for WordPress, specifically due to a missing capability check in the is_w3tc_admin_page function across all versions up to and including 2.8.1. This flaw, classified under CWE-862 (Missing Authorization), enables unauthorized data access and has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with low-privilege network access.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to retrieve the plugin's nonce value, bypassing protections to execute unauthorized actions. Potential impacts include sensitive information disclosure, exhaustion of service plan limits, and SSRF attacks where the web application issues requests to arbitrary external or internal locations, such as querying cloud instance metadata services.
References provided link to vulnerable code locations in the 2.8.0 tag of the plugin repository, including Extension_ImageService_Plugin_Admin.php (line 200), Extensions_Plugin_Admin.php (lines 55 and 246), and Generic_Plugin_Admin.php (lines 385 and 516), highlighting the precise functions lacking proper authorization checks.
Details
- CWE(s)