WordPress plugin W3 Total Cache: Potentially 1 million websites prone to attacks
If the conditions are right, attackers can target websites with the WordPress plug-in W3 Total Cache. A security patch is available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Websites are vulnerable due to a security gap in the WordPress plug-in W3 Total Cache. If attacks are successful, attackers can access information that is actually protected. Admins should install the secure version.
So far, there have been no reports of ongoing attacks. However, admins should not wait too long to install the update. According to the statistics on the WordPress website, the plug-in currently has more than 1 million active installations.
Data leak possible
Security researchers from Wordfence warn of the vulnerability in an article. The vulnerability (CVE-2024-12365) is classified as “high” threat level. Because the is_w3tc_admin_page function lacks a check, attackers can start there in an unspecified way.
Videos by heise
However, this only works if they already have access at subscriber level. If this is the case, they can view unauthorized information, among other things. The plug-in is said to be vulnerable up to and including version 2.8.1. Version 2.8.2, which is protected against the attack described above, has now been released.
(des)
