CVE-2024-12006

The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and deactivate plugin extensions.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L186	Patch
https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L220	Patch
https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L60	Patch
https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L63	Patch
https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L212	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/329ad5dc-9339-4540-aba3-f21a78a74d4b?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2025-01-14 07:15

Updated : 2025-01-16 21:30

NVD link : CVE-2024-12006

Mitre link : CVE-2024-12006

CVE.ORG link : CVE-2024-12006

JSON object : View

Products Affected

boldgrid

w3_total_cache

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-12006", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-01-14T07:15:25.633", "references": [{"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L186", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L220", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L60", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Extensions_Plugin_Admin.php#L63", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.8.0/Generic_Plugin_Admin.php#L212", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/329ad5dc-9339-4540-aba3-f21a78a74d4b?source=cve", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and deactivate plugin extensions."}, {"lang": "es", "value": " El complemento W3 Total Cache para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de comprobaci\u00f3n de capacidad en varias funciones en todas las versiones hasta la 2.8.1 incluida. Esto permite que atacantes no autenticados desactiven el complemento, as\u00ed como tambi\u00e9n activen y desactiven extensiones del complemento."}], "lastModified": "2025-01-16T21:30:14.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "470E9307-0C69-4084-A1BF-1A1C12DA313B", "versionEndExcluding": "2.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}