CVE-2024-12365: 
WordPress vulnerability analysis and mitigation

CVE-2024-12365 affects the W3 Total Cache plugin for WordPress, discovered in January 2024. The vulnerability exists in all versions up to and including 2.8.1 due to a missing capability check on the isw3tcadmin_page function. This security flaw affects over a million WordPress websites that use this popular caching plugin (NVD, SecurityOnline).

The vulnerability stems from a missing authorization check in the isw3tcadmin_page function, which allows authenticated users with Subscriber-level access or higher to perform unauthorized actions. The flaw has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, indicating its critical nature (NVD).

The vulnerability enables authenticated attackers to obtain the plugin's nonce value and perform unauthorized actions, leading to information disclosure and service plan limits consumption. Additionally, attackers can make web requests to arbitrary locations originating from the web application, potentially accessing information from internal services, including instance metadata on cloud-based applications (NVD).

Website administrators using W3 Total Cache are strongly advised to update to version 2.8.2 or later, which contains the patch for this vulnerability (SecurityOnline).