CVE-2024-12365

HIGH

W3 Total Cache <= 2.8.1 - Authenticated Missing Authorization in is_w3tc_admin_page

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-12365. PoCs published by spyata123.

AI-analyzed exploit summary This repository contains a Python script that tests for CVE-2019-6715 (arbitrary file read) and CVE-2024-12365 (SSRF/info disclosure) in W3 Total Cache. It exploits a directory traversal vulnerability via a crafted JSON payload to read arbitrary files.

Description

The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.

Exploits (1)

nomisec WORKING POC

by spyata123 · poc

https://github.com/spyata123/W3TotalChache

View Code ZIP pw:eip

This repository contains a Python script that tests for CVE-2019-6715 (arbitrary file read) and CVE-2024-12365 (SSRF/info disclosure) in W3 Total Cache. It exploits a directory traversal vulnerability via a crafted JSON payload to read arbitrary files.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: W3 Total Cache <= 2.8.1

No auth needed

Prerequisites: Target running W3 Total Cache with vulnerable version · Access to the plugin's endpoint

MITRE ATT&CK