Cross-Site Request Forgery Vulnerability in W3 Total Cache Plugin for WordPress
CVE-2014-9414

Currently unrated

Key Information:

Vendor: Wordpress
Status: W3 Total Cache
Vendor: CVE Published:; 24 December 2014

Summary

The W3 Total Cache plugin versions prior to 0.9.4.1 for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This vulnerability arises due to improper handling of empty nonces, which allows remote attackers to exploit the vulnerability through unauthorized requests. An attacker can hijack the authentication of an administrator by crafting a malicious request that alters the mobile site redirect URI. Exploiting this issue can lead to significant security risks, including unauthorized changes to site settings.

References

https://github.com/wp-plugins/w3-total-cache/commit/9a1cc...

x_refsource_CONFIRM

http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w...

x_refsource_MISC

https://wordpress.org/plugins/w3-total-cache/changelog/

x_refsource_CONFIRM

Timeline

Vulnerability published
Dec 24, 2014
Vulnerability Reserved
Dec 24, 2014