WordPress Plugin Vulnerabilities

W3 Total Cache < 2.8.2 - Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on several functions. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and deactivate plugin extensions.

Affects Plugins

Plugin icon
w3-total-cache
Fixed in 2.8.2

References

CVE
CVE-2024-12006
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/329ad5dc-9339-4540-aba3-f21a78a74d4b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
villu164
Verified
No
WPVDB ID
55419227-e2cd-4794-b058-79813b133be3

Timeline

Publicly Published
2025-01-13 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-14 (about 1 year ago)

Other

Published
Title
Published
2024-07-06
Title
Get Better Reviews for WooCommerce <= 4.0.6 - Missing Authorization
Published
2025-12-30
Title
SiteLock Security < 5.0.2 - Missing Authorization
Published
2025-04-17
Title
Advanced Google Maps < 5.8.5 - Missing Authorization
Published
2025-10-29
Title
Translate WordPress and go Multilingual – Weglot < 5.2 - Missing Authorization to Unauthenticated Limited Transient Deletion
Published
2025-06-12
Title
Hydra Booking < 1.1.10 - Missing Authorization