cleantalk
Vulnerabilities and Security Researches

W3 Total Cache, 3b66bd46-b266-4f3b-ae74-823586e73ebd

CVE, Research URL

3b66bd46-b266-4f3b-ae74-823586e73ebd

Home page URL

Security reports for W3 Total Cache

Application

W3 Total Cache

Published on
-
Research Description
W3 Total Cache [w3-total-cache] < 0.9.5 W3 Total Cache &lt;= 0.9.4.1 &ndash; Unauthenticated Security Token Bypass The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce (aka security token): *********** $nonce = W3_Request::get_string(&#039;nonce&#039;); $uri = $_SERVER[&#039;REQUEST_URI&#039;]; if (wp_hash($uri) == $nonce) { ************ But the flaw stays in the == operator which is not the one to use when you want to compare hashes because of php type juggling. You can find an example of type juggling on https://3v4l.org/tT4l8 To exploit the vulnerability, the token has to start with `0e` and all other chars have to be numbers, then the user can just add a param in the url like `?nonce=0` and it will be validated.
Affected versions
max 0.9.5.
Status
vulnerable
Previous vulnerability researches
W3 Total Cache (CVE-2026-39595) , Jun 19, 2026
W3 Total Cache (CVE-2024-12365) , Jan 14, 2025
W3 Total Cache (CVE-2024-12006) , Jan 14, 2025
W3 Total Cache (CVE-2024-12008) , Jan 14, 2025
W3 Total Cache (91816c620bff939df0db1b9923ab56362614d8ff) , Jun 16, 2026
New vulnerability
CF7 to Webhook (CVE-2026-11395) , Jun 19, 2026
W3 Total Cache (CVE-2026-39595) , Jun 19, 2026
Advanced Ads – Ad Manager &amp; AdSense (CVE-2026-54816) , Jun 19, 2026
Advanced Order Export For WooCommerce (CVE-2026-11360) , Jun 19, 2026
WP Activity Log (CVE-2026-54806) , Jun 18, 2026