Vulnerabilities and security researches forw3-total-cache w3-total-cache

Direction: descending

Jun 19, 2026

W3 Total Cache # CVE-2026-39595

CVE, Research URL: CVE-2026-39595
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jun 17, 2026
Research Description: Author Broken Access Control in W3 Total Cache <= 2.9.1 versions.
Affected versions: max 2.9.2.
Status: vulnerable

Jun 16, 2026

W3 Total Cache # 91816c620bff939df0db1b9923ab56362614d8ff

CVE, Research URL: 91816c620bff939df0db1b9923ab56362614d8ff
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 27, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 WordPress W3 Total Cache Plugin <= 0.9.4.1 - Arbitrary PHP Code Execution This plugin is prone to an authenticated arbitrary PHP code execution vulnerability. Update the plugin.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 887fbfcb2894d958d0915dea688fc101acf4d15a

CVE, Research URL: 887fbfcb2894d958d0915dea688fc101acf4d15a
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 27, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 WordPress W3 Total Cache Plugin <= 0.9.4.1 - Arbitrary File Upload This plugin is prone to an authenticated arbitrary file upload vulnerability. Update the plugin.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 3d94635fdc144f68425abe52237de17b1b89efcc

CVE, Research URL: 3d94635fdc144f68425abe52237de17b1b89efcc
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 27, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 WordPress W3 Total Cache Plugin <= 0.9.4.1 - Arbitrary File Download This plugin is prone to authenticated arbitrary file download vulnerability. Update the plugin.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 6997ee28e3d8ea8b4131bc872c0aa1712376622f

CVE, Research URL: 6997ee28e3d8ea8b4131bc872c0aa1712376622f
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 26, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 WordPress W3 Total Cache Plugin <= 0.9.4.1 - Reflected Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 0922cc61c0a7483985f79748dccdee296b0f6729

CVE, Research URL: 0922cc61c0a7483985f79748dccdee296b0f6729
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: May 07, 2019
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 WordPress W3 Total Cache plugin <= 0.9.7.3 - Cross-Site Scripting (XSS) vulnerability Cross-Site Scripting (XSS) vulnerability found by Thomas Chauchefoin in WordPress W3 Total Cache plugin (versions <= 0.9.7.3).
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # 0fe7a6f62fbcb8ec10bdee902c9620cfce4af778

CVE, Research URL: 0fe7a6f62fbcb8ec10bdee902c9620cfce4af778
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 27, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 WordPress W3 Total Cache Plugin <= 0.9.4.1 - Bypass This plugin is prone to unauthenticated security token bypass vulnerability. Update the plugin.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # f3337db796050925ade10a6a14847e57c053e3ab

CVE, Research URL: f3337db796050925ade10a6a14847e57c053e3ab
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: May 15, 2015
Research Description: W3 Total Cache [w3-total-cache] < 0.9.4.1 WordPress W3 Total Cache Plugin <= 0.9.4 - Cross Site Request Forgery This plugin is prone to edge mode enabling cross site request forgery vulnerability. Update the plugin.
Affected versions: max 0.9.4.1.
Status: vulnerable

W3 Total Cache # ab678c61-7609-4497-82b4-3cbbc84081a2

CVE, Research URL: ab678c61-7609-4497-82b4-3cbbc84081a2
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Authenticated Reflected Cross-Site Scripting (XSS) The W3 Total Cache WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 0f23fa7c-ddeb-4dfb-9718-2cbff24cffe7

CVE, Research URL: 0f23fa7c-ddeb-4dfb-9718-2cbff24cffe7
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 W3 Total Cache < 0.9.7.4 - Blind SSRF and RCE via phar The implementation of `opcache_flush_file` calls `file_exists` with a parameter fully controlled by the user.
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # cbcbc279-3feb-4bb5-a53d-287961bbc18f

CVE, Research URL: cbcbc279-3feb-4bb5-a53d-287961bbc18f
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary File Download When you're creating a support ticket in the plugin page, you can add one or more of your your template themes. Then this file will be send to the author to help him resolving the issue. Now you select one, you send the form and same as for the files before, you will send it to the author to help him to fix the issue. How does it work: ********** /** * Attach templates */ foreach ($templates as $template) { if (!empty($template)) { $attachments[] = $template; } } ********** foreach ($attachments as $attachment) { if (is_network_admin()) update_site_option('attachment_' . md5($attachment), $attachment); else update_option('attachment_' . md5($attachment), $attachment); } ********** /** * Remove temporary files */ foreach ($attachments as $attachment) { // ... if (is_network_admin()) delete_site_option('attachment_' . md5($attachment)); else delete_option('attachment_' . md5($attachment)); } ********** $attachment_location = filter_var(urldecode($_REQUEST['file']), FILTER_SANITIZE_STRING); $md5 = md5($attachment_location); $nonce = $_REQUEST['nonce']; $stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request'); $stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5); if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) { ********** First, our choices are added to the attachments array, second an option is added, this will be used to be sure that this file was chosen from this support form, then this options are deleted when the submission is done. Between the option creation and delete that the files.php is called to get the attachment, verified with a nonce and with the created option. The vulnerability stays in the fact that we can modify – using firebug for example – the templates name to another existing file from the site, like wp-config.php. So now, an option has been created with this fake theme template. Then using the same type juggling flaw as before, I can validate the nonce because of the ==. You also have to add a 20 Mb file to gain time to exploit this. Pointing on the files.php URL like that can help me to download the wp-config.php, because for the same reason as before, an administrator is not always allowed to read the config file, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 666d4a0d-f925-4582-b621-1c913dffb894

CVE, Research URL: 666d4a0d-f925-4582-b621-1c913dffb894
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary File Upload When you're creating a support ticket in the plugin page, you can add one or more of your files from your computer. Then this file will be send to the author to help him resolving the issue. When we look at the code, W3TC is doing that: ********** /** * Attach other files */ if (!empty($_FILES['files'])) { $files = (array)$_FILES['files']; for ($i = 0, $l = count($files); $i < $l; $i++) { if (isset($files['tmp_name'][$i]) && isset($files['name'][$i]) && isset($files['error'][$i]) && $files['error'][$i] == UPLOAD_ERR_OK) { $path = W3TC_CACHE_TMP_DIR . '/' . $files['name'][$i]; if (@move_uploaded_file($files['tmp_name'][$i], $path)) { $attachments[] = $path; } } } } ********** and ********** /** * Remove temporary files */ foreach ($attachments as $attachment) { if (strstr($attachment, W3TC_CACHE_TMP_DIR) !== false) { @unlink($attachment); } ********** Ok, so, when you submit the form as an administrator, W3TC uploads our file in its temporary folder /wp-content/cache/tmp/ then will delete them right after that, the file will live only a few milliseconds. But what if I try to send 2 files, the first one is a 2 Kb malicious PHP file containing a backdoor, the second one is a 20 Mb file. The submission will last more longer, the first file won't be deleted since the second one is not uploaded, I can now access to the first file. An administrator is not always allowed to execute custom PHP code, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # b6817692-4f97-4f8c-907c-7e7c8492d43a

CVE, Research URL: b6817692-4f97-4f8c-907c-7e7c8492d43a
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.4.1 W3 Total Cache 0.9.4 - Edge Mode Enabling CSRF The W3 Total Cache WordPress plugin was affected by an Edge Mode Enabling CSRF security vulnerability.
Affected versions: max 0.9.4.1.
Status: vulnerable

W3 Total Cache # f4dd379d6047628a42a4e08403e5ed8d741577c7

CVE, Research URL: f4dd379d6047628a42a4e08403e5ed8d741577c7
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: May 01, 2013
Research Description: W3 Total Cache [w3-total-cache] < 0.9.2.9 WordPress W3 Total Cache plugin <= 0.9.2.8 - PHP Code Execution vulnerability W3 Total Cache plugin is prone to a PHP code execution vulnerability because of the handling of certain macros such as "mfunc" that allows arbitrary PHP code injection. Update the WordPress W3 Total Cache plugin to the latest available version (at least 0.9.2.9).
Affected versions: max 0.9.2.9.
Status: vulnerable

W3 Total Cache # f8409eab-b434-468d-9a0a-66e8bb85d4fc

CVE, Research URL: f8409eab-b434-468d-9a0a-66e8bb85d4fc
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 W3 Total Cache < 0.9.7.3 - Cryptographic Signature Bypass The return value of `openssl_verify` is not properly validated, which allows to bypass the cryptographic check.
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # 6dbb1a21-9805-401b-8cd4-f7c387c99199

CVE, Research URL: 6dbb1a21-9805-401b-8cd4-f7c387c99199
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 W3 Total Cache <= 0.9.7.3 - Cross-Site Scripting (XSS) The W3 Total Cache WordPress plugin was affected by a Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # 752fc738-496f-44fd-9ca6-24e29ef8e75e

CVE, Research URL: 752fc738-496f-44fd-9ca6-24e29ef8e75e
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary PHP Code Execution This one is so mush easy to exploit using the import settings feature, this is what W3TC will do one your file is uploaded: ********** /** * Imports config content * * @param string $filename * @return boolean */ function import($filename) { if (file_exists($filename) && is_readable($filename)) { $data = file_get_contents($filename); if (substr($data, 0, 5) == '<?php') $data = substr($data, 5); $config = eval($data); if (is_array($config)) { foreach ($config as $key => $value) $this->set($key, $value); return true; } } return false; } ********** The bad line is $config = eval($data); because it means that all my file content will be evaluated like any other PHP code. Basically we can send a PHP script that will create a backdoor.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 3b66bd46-b266-4f3b-ae74-823586e73ebd

CVE, Research URL: 3b66bd46-b266-4f3b-ae74-823586e73ebd
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 – Unauthenticated Security Token Bypass The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce (aka security token): *********** $nonce = W3_Request::get_string('nonce'); $uri = $_SERVER['REQUEST_URI']; if (wp_hash($uri) == $nonce) { ************ But the flaw stays in the == operator which is not the one to use when you want to compare hashes because of php type juggling. You can find an example of type juggling on https://3v4l.org/tT4l8 To exploit the vulnerability, the token has to start with `0e` and all other chars have to be numbers, then the user can just add a param in the url like `?nonce=0` and it will be validated.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 70c644e0-3d60-4f97-bdbb-39b5cec25c7f

CVE, Research URL: 70c644e0-3d60-4f97-bdbb-39b5cec25c7f
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Weak Validation of Amazon SNS Push Messages The W3 Total Cache WordPress plugin was affected by a Weak Validation of Amazon SNS Push Messages security vulnerability.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # e9f01529-7f46-4044-aee2-bdda910cb6ac

CVE, Research URL: e9f01529-7f46-4044-aee2-bdda910cb6ac
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Information Disclosure Race Condition The W3 Total Cache WordPress plugin was affected by an Information Disclosure Race Condition security vulnerability.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 8835ac84-9176-44f6-9218-7022debf0eab

CVE, Research URL: 8835ac84-9176-44f6-9218-7022debf0eab
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: -
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4 - Unauthenticated Server Side Request Forgery (SSRF) The W3 Total Cache WordPress plugin was affected by an Unauthenticated Server Side Request Forgery (SSRF) security vulnerability.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 8914eae9e90e5064c78effaf3b28a4eed5695eb0

CVE, Research URL: 8914eae9e90e5064c78effaf3b28a4eed5695eb0
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: May 22, 2019
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 W3 Total Cache <= 0.9.7.3 - Server Side Request Forgery The W3 Total Cache plugin for WordPress is vulnerable to Server Side Request Forgery in versions up to, and including 0.9.7.3, due to insufficient user input validation in the opcache_flush_file file.
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # d10065940b7560bcc2c3fde42548d084ae67f076

CVE, Research URL: d10065940b7560bcc2c3fde42548d084ae67f076
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: May 07, 2019
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 W3 Total Cache plugin <= 0.9.7.3 - Reflected Cross-Site Scripting The W3 Total Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to insufficient input validation on the $command variable, which makes it possible for attackers to inject arbitrary web sites in victims browsers in versions up to, and including, 0.9.7.3.
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # ade6610e45ed3c5100030940d6f2c0eed9bba619

CVE, Research URL: ade6610e45ed3c5100030940d6f2c0eed9bba619
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Oct 31, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4 - Server-Side Request Forgery leading to Host Information Disclosure The W3 Total Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 0.9.4. This is due to a minify function incorrectly restricting path input. This makes it possible for attackers to access restricted resources on private networks by using a vulnerable installation as a limited HTTP GET proxy.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 93fe3c61a47870bbeb7075d84dd635c1a1fd2b0e

CVE, Research URL: 93fe3c61a47870bbeb7075d84dd635c1a1fd2b0e
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 26, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Security Token Bypass via Type Juggling The W3 Total Cache plugin for WordPress is vulnerable to authorization bypass due to the use of loose comparison on the nonce value in the /pub/apc.php file. This affects versions up to, and including, 0.9.4.1. This makes it possible for attackers to bypass nonce protections if a valid nonce starts with 0e. In the right situation this bypass can be used to empty the OPCache.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 8bbc76fa6332bab2da8c13b6c3951743717967b8

CVE, Research URL: 8bbc76fa6332bab2da8c13b6c3951743717967b8
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 26, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Arbitrary File Upload The W3 Total Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 0.9.4.1. This makes it possible for authenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # dc96b31f0157331474aacdc40f3c0d7ac7c77a12

CVE, Research URL: dc96b31f0157331474aacdc40f3c0d7ac7c77a12
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 26, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Authenticated Arbitrary File Download The W3 Total Cache plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 0.9.4.1 This can allow an administrator attacker to extract sensitive data from wp-config.php that could be used to fully take over the site.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 7f3b8aa7e2f030804e7f93da0c1085499f696a4b

CVE, Research URL: 7f3b8aa7e2f030804e7f93da0c1085499f696a4b
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: May 07, 2019
Research Description: W3 Total Cache [w3-total-cache] < 0.9.7.4 W3 Total Cache <= 0.9.7.3 - Improper Input Validation via openssl_verify W3 Total Cache in versions 0.5 up to 0.9.7.3 does not sufficiently validate the "openssl_verify" result in "/services/MessageValidator/MessageValidator.php". A remote attacker can create a specially crafted certificate and bypass cryptographic checks.
Affected versions: max 0.9.7.4.
Status: vulnerable

W3 Total Cache # d473645bbab8ab677705fe4535f09454f537d982

CVE, Research URL: d473645bbab8ab677705fe4535f09454f537d982
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Nov 10, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Weak validation of Amazon SNS push messages The W3 Total Cache plugin for WordPress is vulnerable to weak validation of Amazon SNS push messages in versions up to, and including, 0.9.4.1. This makes it possible for attackers to perform a variety of actions concerning the server's cache, such as performing a Denial of Service attack on the site.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # f5e6351ff19dc391a2a750b2f7b0f97e716d5b29

CVE, Research URL: f5e6351ff19dc391a2a750b2f7b0f97e716d5b29
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jul 29, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Cross-Site Scripting via request_id The W3 Total Cache plugin plugin for WordPress is vulnerable to Cross-Site Scripting via the 'request_id' parameter in versions up to, and including, 0.9.4.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser.
Affected versions: max 0.9.5.
Status: vulnerable

W3 Total Cache # 440d508939c231b4d88a35a4f78ea3fab258d1d8

CVE, Research URL: 440d508939c231b4d88a35a4f78ea3fab258d1d8
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 08, 2014
Research Description: W3 Total Cache [w3-total-cache] < 0.9.4.1 W3 Total Cache <= 0.9.4 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting The W3 Total Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.9.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 0.9.4.1.
Status: vulnerable

W3 Total Cache # 9070d4e77dc9c3bb83729cfa0eb88b9abc5e7f38

CVE, Research URL: 9070d4e77dc9c3bb83729cfa0eb88b9abc5e7f38
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 26, 2016
Research Description: W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache <= 0.9.4.1 - Arbitrary Code Execution via settings import The W3 Total Cache plugin for WordPress is vulnerable to Authenticated Arbitrary Code Execution via settings import in versions up to, and including, 0.9.4.1. This makes it possible for authenticated attackers to inject and execute arbitrary code.
Affected versions: max 0.9.5.
Status: vulnerable

Apr 24, 2026

W3 Total Cache # CVE-2025-9501

CVE, Research URL: CVE-2025-9501
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Nov 17, 2025
Research Description: The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
Affected versions: max 2.8.13.
Status: vulnerable

Apr 13, 2026

W3 Total Cache # CVE-2026-5032

CVE, Research URL: CVE-2026-5032
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Apr 02, 2026
Research Description: The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled. With the leaked W3TC_DYNAMIC_SECURITY token, an attacker can craft valid mfunc tags to execute arbitrary PHP code on the server, achieving remote code execution.
Affected versions: max 2.9.4.
Status: vulnerable

Mar 28, 2026

W3 Total Cache # CVE-2026-27384

CVE, Research URL: CVE-2026-27384
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Mar 05, 2026
Research Description: Improper Validation of Specified Quantity in Input vulnerability in BoldGrid W3 Total Cache w3-total-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects W3 Total Cache: from n/a through <= 2.9.1.
Affected versions: max 2.9.2.
Status: vulnerable

Feb 23, 2026

W3 Total Cache # PSC-2026-64614

PSC, Research URL: PSC-2026-64614
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Feb 23, 2026
Research Description: Caching and performance optimization plugins can dramatically improve page speed, but they also expand the security footprint because they sit between dynamic application logic and static delivery. A cache can unintentionally store and serve private content, expose sensitive headers or debug artifacts, or create integrity issues when minification and rewrite rules transform how resources are delivered. These plugins also tend to touch high-risk areas like wp-admin configuration, filesystem writes (cache directories, rewrite rules), and external integrations (CDNs, reverse proxies), which means weaknesses frequently translate into data leakage, stored XSS in admin previews, cache poisoning, or denial-of-service conditions. W3 Total Cache version 2.9.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64614, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for caching and optimization plugins.
Affected versions: Min 2.9.4, max 2.9.4.
Status: SAFE & CERTIFIED

Mar 12, 2025

W3 Total Cache # PSC-2025-64559

PSC, Research URL: PSC-2025-64559
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Aug 05, 2025
Research Description: W3 Total Cache (W3TC) is a powerful performance optimization plugin designed to enhance website speed, SEO rankings, and user experience. It achieves this by leveraging caching mechanisms, content delivery network (CDN) integration, and advanced web performance optimization (WPO) techniques. Trusted by over a million users, W3TC significantly reduces page load times, ensuring seamless website performance. The plugin has undergone rigorous security testing and has successfully obtained the Plugin Security Certification (PSC-2025-64559) from CleanTalk, guaranteeing a secure environment for WordPress websites.
Affected versions: Min 2.9.4, max 2.9.4.
Status: SAFE & CERTIFIED

Jan 14, 2025

W3 Total Cache # CVE-2024-12365

CVE, Research URL: CVE-2024-12365
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jan 14, 2025
Research Description: The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.
Affected versions: max 2.8.2.
Status: vulnerable

W3 Total Cache # CVE-2024-12006

CVE, Research URL: CVE-2024-12006
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jan 14, 2025
Research Description: The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and deactivate plugin extensions.
Affected versions: max 2.8.2.
Status: vulnerable

W3 Total Cache # CVE-2024-12008

CVE, Research URL: CVE-2024-12008
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jan 14, 2025
Research Description: The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks. Note: the debug feature must be enabled for this to be a concern, and it is disabled by default.
Affected versions: max 2.8.2.
Status: vulnerable

Sep 25, 2024

W3 Total Cache # CVE-2023-5359

CVE, Research URL: CVE-2023-5359
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Sep 25, 2024
Research Description: The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.
Affected versions: max 2.7.6.
Status: vulnerable

Jun 07, 2024

W3 Total Cache # CVE-2014-8724

CVE, Research URL: CVE-2014-8724
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Dec 19, 2014
Research Description: Cross-site scripting (XSS) vulnerability in the W3 Total Cache plugin before 0.9.4.1 for WordPress, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via the "Cache key" in the HTML-Comments, as demonstrated by the PATH_INFO to the default URI.
Affected versions: max 0.9.4.1.
Status: vulnerable

W3 Total Cache # CVE-2013-2010

CVE, Research URL: CVE-2013-2010
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Feb 12, 2020
Research Description: WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
Affected versions: max 0.9.2.9.
Status: vulnerable

W3 Total Cache # CVE-2019-6715

CVE, Research URL: CVE-2019-6715
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Apr 02, 2019
Research Description: pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.
Affected versions: max 0.9.4.
Status: vulnerable

W3 Total Cache # CVE-2021-24436

CVE, Research URL: CVE-2021-24436
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jul 19, 2021
Research Description: The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
Affected versions: max 2.1.4.
Status: vulnerable

W3 Total Cache # CVE-2014-9414

CVE, Research URL: CVE-2014-9414
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Dec 24, 2014
Research Description: The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authentication of administrators for requests that change the mobile site redirect URI via the mobile_groups[*][redirect] parameter and an empty _wpnonce parameter in the w3tc_mobile page to wp-admin/admin.php.
Affected versions: max 0.9.4.1.
Status: vulnerable

W3 Total Cache # CVE-2021-24452

CVE, Research URL: CVE-2021-24452
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jul 19, 2021
Research Description: The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
Affected versions: max 2.1.5.
Status: vulnerable

W3 Total Cache # CVE-2021-24427

CVE, Research URL: CVE-2021-24427
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jul 13, 2021
Research Description: The W3 Total Cache WordPress plugin before 2.1.3 did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue
Affected versions: max 2.1.3.
Status: vulnerable

W3 Total Cache # CVE-2012-6078

CVE, Research URL: CVE-2012-6078
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Nov 23, 2019
Research Description: W3 Total Cache before 0.9.2.5 generates hash keys insecurely which allows remote attackers to predict the values of the hashes.
Affected versions: max 0.9.2.5.
Status: vulnerable

W3 Total Cache # CVE-2022-31090

CVE, Research URL: CVE-2022-31090
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Jun 28, 2022
Research Description: Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
Affected versions: max 2.2.3.
Status: vulnerable

W3 Total Cache # CVE-2012-6077

CVE, Research URL: CVE-2012-6077
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Nov 23, 2019
Research Description: W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve password hash information due to insecure storage of database cache files.
Affected versions: max 0.9.2.5.
Status: vulnerable

W3 Total Cache # CVE-2012-6079

CVE, Research URL: CVE-2012-6079
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Date: Nov 23, 2019
Research Description: W3 Total Cache before 0.9.2.5 exposes sensitive cached database information which allows remote attackers to download this information via their hash keys.
Affected versions: max 0.9.2.5.
Status: vulnerable