WordPress Plugin Vulnerabilities

W3 Total Cache < 2.8.2 - Information Exposure via Log Files

Description

The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks.
Note: the debug feature must be enabled for this to be a concern, and it is disabled by default.

Affects Plugins

Plugin icon
w3-total-cache
Fixed in 2.8.2

References

CVE
CVE-2024-12008
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8292f23c-fb17-4082-9788-f643d1bb097e

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
3.7 (low)

Miscellaneous

Original Researcher
villu164
Verified
No
WPVDB ID
1685ca58-1622-433b-b561-304cb9d1bc56

Timeline

Publicly Published
2025-01-13 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2026-04-13 (about 2 months ago)

Other

Published
Title
Published
2026-05-27
Title
GenerateBlocks < 2.1.1 - Authenticated (Contributor+) Information Disclosure
Published
2025-09-06
Title
Permalink Manager Lite < 2.5.1.4 - Unauthenticated Sensitive Information Exposure
Published
2024-01-17
Title
IP2Location Country Blocker < 2.33.4 - Unauthenticated Sensitive Information Exposure via Debug Log File
Published
2024-09-24
Title
Community by PeepSo < 6.4.6.1 - Unauthenticated Full Path Disclosure
Published
2025-06-04
Title
MultiVendorX < 4.2.23 - Unauthenticated Information Exposure