EUVD-2026-18136CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments - including the W3TC_DYNAMIC_SECURITY security token - to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled.
Analysis
W3 Total Cache plugin for WordPress exposes security tokens to unauthenticated remote attackers through User-Agent header manipulation. Versions up to 2.9.3 bypass output buffering when requests contain 'W3 Total Cache' in the User-Agent, leaking W3TC_DYNAMIC_SECURITY tokens embedded in dynamic fragment HTML comments. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WordPress installations using W3 Total Cache and identify current plugin versions. Within 7 days: Upgrade W3 Total Cache to version 2.9.4 or later on all affected instances; verify upgrade completion and clear all cache. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today