CVE-2014-9414

Name of the Vulnerable Software and Affected Versions W3 Total Cache plugin versions prior to 0.9.4.1

Description The issue allows remote attackers to conduct cross-site request forgery (CSRF) attacks. This is possible due to the improper handling of empty nonces, which can lead to the hijacking of administrator authentication for specific requests. The requests in question are those that change the mobile site redirect URI via the mobile groups[*][redirect] parameter and an empty wpnonce parameter in the "w3tc mobile" page to "wp-admin/admin.php".

Recommendations For versions prior to 0.9.4.1, update to version 0.9.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the w3tc mobile page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the mobile groups[*][redirect] parameter with an empty wpnonce parameter until the issue is resolved.