Skip to main content

W3 Total Cache CVE-2026-39595

| EUVD-2026-37588 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
Authentication Bypass W3 Total Cache
4.7
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
4.7 MEDIUM

Network-accessible WordPress endpoint; Author-level session required (PR:H); low, bounded CIA impact with no scope change to other systems.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:54 vuln.today

DescriptionCVE.org

Author Broken Access Control in W3 Total Cache <= 2.9.1 versions.

AnalysisAI

W3 Total Cache for WordPress (versions through 2.9.1) exposes Author-role users to administrative plugin functions due to missing authorization checks (CWE-862), enabling unintended read, write, and availability impacts against the caching layer. The CVSS vector confirms a network-accessible, low-complexity exploit requiring Author-level authentication (PR:H), with low but confirmed impact across all three CIA dimensions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Author-level WordPress credentials
Delivery
Authenticate to target WordPress site
Exploit
Send crafted request to unprotected W3TC plugin endpoint
Execution
Bypass missing authorization check
Impact
Read, modify, or flush cache data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid WordPress account with the Author role (or higher) on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.7 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L reflects a genuinely constrained risk profile: exploitation requires the attacker to already hold an Author account on the target WordPress site, which is not a trivially obtained precondition in most site configurations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a legitimate WordPress Author account - obtained via registration, social engineering, or credential compromise - sends a crafted HTTP request directly to the W3 Total Cache plugin's unprotected endpoint, bypassing the missing capability check. Because no additional user interaction is required and the attack complexity is low, the attacker can read limited cache configuration data, modify caching settings, or flush caches to degrade site performance. …
Remediation Update W3 Total Cache to a version later than 2.9.1 once a patched release is published by BoldGrid. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39595 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy