CVE-2024-12314

High

Published: 18 February 2025

Published

18 February 2025

Modified

24 February 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0008 23.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12314 is a high-severity Use of Cache Containing Sensitive Information (CWE-524) vulnerability in Megaoptim Rapid Cache. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of HTTP headers before storage in cache, directly preventing attackers from poisoning the cache with malicious unsanitized headers.

SI-15 Information Output Filtering partial match

prevent

Filters outputs from poisoned cache to neutralize custom headers that enable cross-site scripting in responses served to subsequent users.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the identified cache poisoning flaw in the Rapid Cache plugin, eliminating the vulnerability across affected versions.

NVD Description

The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin storing HTTP headers in the cached data. This makes it possible for unauthenticated attackers to poison…

the cache with custom HTTP headers that may be unsanitized which can lead to Cross-Site Scripting.

Deeper analysisAI

CVE-2024-12314 is a cache poisoning vulnerability affecting the Rapid Cache plugin for WordPress in all versions up to and including 1.2.3. The issue stems from the plugin storing HTTP headers in cached data without proper sanitization, enabling attackers to inject custom headers into the cache. Published on 2025-02-18, this flaw carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is linked to CWE-524 and NVD-CWE-Other.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted HTTP requests containing malicious headers, they can poison the site's cache, causing subsequent visitors to receive responses with unsanitized headers that facilitate cross-site scripting (XSS) attacks. The changed scope (S:C) in the CVSS vector indicates potential impact across security boundaries, with low confidentiality and integrity effects but no availability disruption.

Advisories from Wordfence and the plugin's WordPress.org page provide further details on this vulnerability. Security practitioners should consult these resources—https://www.wordfence.com/threat-intel/vulnerabilities/id/72b777ac-1870-4588-82fe-da96a784ec81?source=cve and https://wordpress.org/plugins/rapid-cache/—for patch information and recommended mitigation steps.

Details

CWE(s): CWE-524 NVD-CWE-Other

Affected Products

megaoptim

rapid cache

≤ 1.2.3

CVEs Like This One

CVE-2025-64762Shared CWE-524

References

https://wordpress.org/plugins/rapid-cache/
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/72b777ac-1870-4588-82fe-da96a784ec81?source=cve
Third Party Advisory · security@wordfence.com