Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Unauthenticated network RCE (AV:N/PR:N/UI:N) with full impact and scope change; AC:H retained because a specific input-validation condition must be met.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary Code Execution in W3 Total Cache <= 2.9.4 versions.
AnalysisAI
Unauthenticated arbitrary code execution affects the W3 Total Cache WordPress caching plugin in all versions up to and including 2.9.4, allowing remote attackers to execute code and fully compromise the underlying site without credentials or user interaction. The scope-changing CVSS 9.0 (Critical) rating reflects the plugin's deep hooks into WordPress request handling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets the W3 Total Cache plugin (versions <= 2.9.4) and requires no authentication (PR:N) and no user interaction (UI:N) over the network (AV:N), so any internet-reachable WordPress site with the vulnerable plugin active is exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H yields a base score of 9.0 (Critical): network-reachable, no privileges, no user interaction, full confidentiality/integrity/availability impact, and a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote, unauthenticated attacker sends specially crafted requests to a WordPress site running W3 Total Cache 2.9.4 or earlier, supplying malformed quantity/size input that the plugin fails to validate, and triggers the specific condition needed to coerce the plugin into executing attacker-controlled code - giving full control of the site. No POC has been published, and the AC:H rating means the attacker must reliably hit the required precondition, so an automated exploit would likely need tuning against the target environment. |
| Remediation | No vendor-released patch version was identified in the provided data; upgrade to the first W3 Total Cache release above 2.9.4 as published by the vendor once confirmed, and consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/w3-total-cache/vulnerability/wordpress-w3-total-cache-plugin-2-9-4-arbitrary-code-execution-vulnerability?_s_id=cve) for the exact fixed version before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all WordPress installations to identify W3 Total Cache presence and version; immediately disable the plugin on any instance running version 2.9.4 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in W3 Total Cache
View allThe W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.
W3 Total Cache for WordPress (versions through 2.9.1) exposes Author-role users to administrative plugin functions due t
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check o
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability c
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41365
GHSA-m2v8-v989-39q2