maniabelNov 18

Kritische Befehls‑Injection‑Lücke im WordPress‑Plugin W3 Total Cache

Eine schwerwiegende Sicherheitslücke (CVE‑2025‑9501, CVSS‑Score 9.0) wurde im beliebten WordPress‑Caching‑Plugin W3 Total Cache entdeckt. Sie ermöglicht Remote‑Code‑Execution – das heißt, Angreifer können beliebige Befehle auf dem Server ausführen, ohne sich vorher authentifizieren zu müssen.

#wordpress #plugin #w3totalcache #infosec #infosecnews #RemoteCodeExecution

https://beyondmachines.net/event_details/critical-command-injection-flaw-reported-in-w3-total-cache-wordpress-plugin-c-x-1-7-2/gD2P6Ple2L

Critical command injection flaw reported in W3 Total Cache WordPress plugin

A critical unauthenticated command injection vulnerability (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to achieve remote code execution by submitting malicious PHP code through public comments, affecting all versions prior to 2.8.13.

BeyondMachines
RF WaveJan 20, 2025

Security researchers reveal a severe flaw in the #W3TotalCache plugin for #WordPress

The vulnerability is tracked as CVE-2024-12365, and when exploited, can expose potentially sensitive data. The plugin is believed to be installed on over 1 million WordPress sites.

Administrators are advised to patch ASAP

#cybersecurity

https://www.bleepingcomputer.com/news/security/w3-total-cache-plugin-flaw-exposes-1-million-wordpress-sites-to-attacks/

W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks

A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps.

BleepingComputer
Marcel SIneM(S)USJan 19, 2025
#WordPress-Plug-in #W3TotalCache: Potenziell 1 Millionen Websites attackierbar | Security https://www.heise.de/news/WordPress-Plug-in-W3-Total-Cache-Potenziell-1-Millionen-Websites-attackierbar-10246228.html #WordPressPlugin #CMS #ContentManagementSystem #Patchday
WordPress-Plug-in W3 Total Cache: Potenziell 1 Millionen Websites attackierbar

Stimmen die Voraussetzungen, können Angreifer Websites mit dem WordPress-Plug-in W3 Total Cache ins Visier nehmen. Ein Sicherheitspatch ist verfügbar.

heise online
Teddy / Domingo (🇨🇵/🇬🇧)Jan 17, 2025
Encore une #faille dans un plugin #WordPress : 1 million de sites exposés à des fuites de données.
Une #vulnérabilité importante a été découverte dans le plugin #W3TotalCache, module très utilisé par les abonnés #WP pour améliorer les performances de leurs #sitesweb.
https://www.clubic.com/actualite-550556-encore-une-faille-dans-un-plugin-wordpress-1-million-de-sites-exposes-a-des-fuites-de-donnees.html
Encore une faille dans un plugin WordPress : 1 million de sites exposés à des fuites de données

Nouvelle faille critique dans un plugin WordPress ? Tiens, ça faisait presque longtemps.

Clubic.com
Show threadFish in the PercolatorFeb 12, 2023
The results of a deep dive, spending probably way too much time in this, but that's what we do when the stakes are low: #WordPress #ActivityPub and #caching, in particular #W3TotalCache. https://gergely.imreh.net/blog/2023/02/when-wordpress-caching-is-not-what-it-seems/
When WordPress caching is not what it seems - ClickedyClick

Using WordPress blog as a Fediverse node comes with issues when site caching breaks my assumptions.

ClickedyClick
Show threadFish in the PercolatorFeb 11, 2023
Plot thickens with #WordPress #ActivityPub and #W3TotalCache #W3TC plugins interactions. Seems like W3TC's #nginx config is subtly wrong for me multiple ways so it didn't actually direct caching (and it was red herring to modify it, wasting me a an hour or two), but W3TC's internal code redirects to the right generated on-disk file after all (so that's why the "caching" seemed to have worked even with emptied nginx config).
Show threadFish in the PercolatorFeb 11, 2023

@arnandegans so the plugin would need to tell somehow the whole #WordPress instance (or just #W3TotalCache?) not to cache the authors' about page. (when it receives a regular query, return the HTML version, if "application/activity+json" type the the plugin take care of it.

It's an interesting proposition whether that plugin could set up that behaviour. I wonder if it's something down this line: https://wordpress.org/support/topic/disable-caching-for-a-specific-page/ (and thanks for the hint, it seems promising!)

Disable caching for a specific page

[This thread is closed.] Hello and thanks for the wonderful plugin! this might be a dumb question, but I haven’t been able to exclude a page…

WordPress.org Forums
Show threadFish in the PercolatorFeb 11, 2023
@evantd what sort of settings change this would be? I'm using #nginx and #W3TotalCache adds its own config to it (as a generated file that is imported by the main nginx setup). Looking at it, no headers or accepted file types related logic in there.
Any other hints about what do you mean?
Fish in the PercolatorFeb 11, 2023

Using #WordPress with the #ActivityPub plugin and seems like it's not playing well with #W3TotalCache, as the author page that should return an ActivityPub author JSON for an author page, just being cached (not bothering about the "Accept" header).

Solved it by just exempting the `/author/.+` paths from caching, but it is not satisfying, the cache plugin should be able to handle these things.

Also, I have no clue whether it will make any difference for @gergely at all :P

Gidi KroonNov 21, 2022
I finally succeeded in putting the Wordpress media files on S3 and served by cdn, on a test site. This should not have stumped me this much, there's a plugin for it to help and I managed to configure it on Pleroma and PeerTube without the help of a plugin. Maybe these have better instructions...

One of the issues was that the instructions of W3 Total Cache said to give minimal S3 access permissions to the access key but doesn't say what that is, so I did GetObject, PutObject and DeleteObject but that doesn't work. Blog posts acknowledge this and say to just give full permissions. Fortunately AWS had a list and it also needs ListBucket, GetObjectAcl and PutObjectAcl. Even if Acl's are disabled. Just ignore that the test upload doesn't work. Also ignore people who say that the S3 bucket needs to be open to the public.
#Wordpress #W3TotalCache