This vulnerability arises from improper validation of the quantity input in the BoldGrid W3 Total Cache plugin, enabling attackers to invoke functionality that should be protected by access control lists. Because the plugin processes the quantity parameter without adequate checks, an attacker can execute arbitrary code on the server, effectively compromising the entire WordPress installation. The flaw directly undermines the integrity and confidentiality of the host, allowing full system compromise if exploited. The weakness is a classic example of unauthorized modification of software, as categorized by CWE-1284.

The affected product is BoldGrid’s W3 Total Cache WordPress plugin. All releases from the earliest available version up to and including 2.9.1 are susceptible. Users running any of these versions on their WordPress sites expose themselves to this issue.

The CVSS v3.1 base score of 9.0 rates the flaw as critical, indicating a modern attacker could gain full control after successful exploitation. The EPSS score of less than 1% suggests that widespread exploitation has not yet occurred, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, because the flaw permits arbitrary code execution and requires no special privileges beyond those with access to the plugin’s settings, the likelihood of successful attacks in environments with exposed WordPress administration interfaces remains non‑trivial. Attackers would likely leverage authenticated access or misconfigured permissions to exploit the quantity parameter described in the plugin’s source code.