CVE-2024-12365: CWE-862 Missing Authorization in boldgrid W3 Total Cache
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.
AI Analysis
Technical Summary
CVE-2024-12365 is a high-severity vulnerability in the W3 Total Cache plugin for WordPress caused by a missing capability check on the is_w3tc_admin_page function in all versions up to and including 2.8.1. This missing authorization allows authenticated users with low privileges (Subscriber-level and above) to access the plugin's nonce value, enabling unauthorized actions such as information disclosure and making arbitrary web requests from the server. The vulnerability can be leveraged to query internal services, including cloud instance metadata, posing risks to confidentiality and service integrity.
Potential Impact
An attacker with minimal authenticated access can exploit this vulnerability to disclose sensitive information, consume service plan limits, and perform server-side request forgery (SSRF)-like actions to query internal resources. This compromises confidentiality and may expose internal cloud metadata, which can lead to further attacks or data leakage. There is no indication of availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access to trusted users only and monitor for suspicious activity related to the W3 Total Cache plugin. Avoid granting unnecessary privileges and consider disabling the plugin if possible until patched.
CVE-2024-12365: CWE-862 Missing Authorization in boldgrid W3 Total Cache
Description
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-12365 is a high-severity vulnerability in the W3 Total Cache plugin for WordPress caused by a missing capability check on the is_w3tc_admin_page function in all versions up to and including 2.8.1. This missing authorization allows authenticated users with low privileges (Subscriber-level and above) to access the plugin's nonce value, enabling unauthorized actions such as information disclosure and making arbitrary web requests from the server. The vulnerability can be leveraged to query internal services, including cloud instance metadata, posing risks to confidentiality and service integrity.
Potential Impact
An attacker with minimal authenticated access can exploit this vulnerability to disclose sensitive information, consume service plan limits, and perform server-side request forgery (SSRF)-like actions to query internal resources. This compromises confidentiality and may expose internal cloud metadata, which can lead to further attacks or data leakage. There is no indication of availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access to trusted users only and monitor for suspicious activity related to the W3 Total Cache plugin. Avoid granting unnecessary privileges and consider disabling the plugin if possible until patched.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-09T11:58:01.402Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e38b7ef31ef0b597fc3
Added to database: 2/25/2026, 9:48:40 PM
Last enriched: 4/9/2026, 7:22:51 PM
Last updated: 4/11/2026, 6:36:46 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.