Skip to main content

W3 Total Cache CVE-2026-9282

| EUVDEUVD-2026-43164 HIGH
Path Traversal (CWE-22)
2026-07-11 security@wordfence.com GHSA-cx46-vqrj-hfqm
7.5
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network and unauthenticated (AV:N/PR:N), but the required non-default manual-minify configuration and crafted empty-hash filename make success condition-dependent (AC:H); confidentiality-only file read (C:H, I/A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 07:32 vuln.today
CVE Published
Jul 11, 2026 - 07:16 nvd
HIGH 7.5

DescriptionCVE.org

The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires enabling manual minify mode and supplying a manual-format minify filename so that the hash is empty and the f_array[] entries are not overwritten before reaching setupSources().

AnalysisAI

Arbitrary file disclosure in the W3 Total Cache plugin for WordPress (versions ≤ 2.9.4) lets remote unauthenticated attackers read any file readable by the web server via a path traversal in the Minify subsystem's setupSources function. Exploitation is gated on the site running manual minify mode with a crafted manual-format filename, so it is not universally triggerable, and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WP site with W3 Total Cache manual minify
Delivery
Craft manual-format minify filename yielding empty hash
Exploit
Submit request with traversal in f_array source path
Execution
setupSources reads arbitrary file
Impact
Exfiltrate sensitive file contents (e.g., wp-config.php)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to have the W3 Total Cache Minify feature configured in manual minify mode, and the attacker must supply a manual-format minify filename crafted so the computed hash is empty and the f_array[] source entries are not overwritten before reaching setupSources(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) rates this HIGH with network, unauthenticated, low-complexity access and high confidentiality impact only - no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a WordPress site running W3 Total Cache ≤ 2.9.4 with manual minify enabled, an unauthenticated attacker sends a crafted minify request whose manual-format filename yields an empty hash, causing traversal source paths to survive into setupSources(). The response returns the contents of a targeted file such as wp-config.php, leaking database credentials and secret keys. …
Remediation Upgrade W3 Total Cache to the version above 2.9.4 that includes the upstream fix committed in changeset r3585227 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3585227%40w3-total-cache&new=3585227%40w3-total-cache); the input does not name an exact released tag, so confirm the fixed release number in the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/e92cc06d-006f-4bba-a4ef-b23d80c00085) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for W3 Total Cache plugin presence and determine which sites have manual minify mode enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-9282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy