Description
Author Broken Access Control in W3 Total Cache <= 2.9.1 versions.
Published: 2026-06-17
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A legitimate access-control check was missing in the WordPress W3 Total Cache plugin, allowing unauthorized users to perform actions that should be restricted. The flaw does not directly grant remote code execution or escalation of privilege, but it can compromise the confidentiality or integrity of cached data and the overall application by letting attackers read or modify content they should not access.

Affected Systems

WordPress users running the BoldGrid W3 Total Cache plugin version 2.9.1 or earlier are affected. Any site that has failed to update to 2.9.2 or a later patch maintains the vulnerability.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need a web‑based endpoint that interacts with the flawed plugin, which is typical of normal site traffic. The broken access control can be leveraged without exploit code or elevated permissions, making the condition fairly easy to exploit on a publicly accessible site.

Generated by OpenCVE AI on June 18, 2026 at 14:07 UTC.

Remediation

Vendor Solution

Update the WordPress W3 Total Cache Plugin to the latest available version (at least 2.9.2).


OpenCVE Recommended Actions

  • Upgrade the WordPress W3 Total Cache plugin to version 2.9.2 or a newer release through the WordPress admin interface or by replacing the plugin files manually.
  • Backup the WordPress installation and database before updating components.
  • After the update, clear all cached content and verify that restricted pages require proper authentication.

Generated by OpenCVE AI on June 18, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid w3 Total Cache
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid w3 Total Cache
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Author Broken Access Control in W3 Total Cache <= 2.9.1 versions.
Title WordPress W3 Total Cache plugin <= 2.9.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

Boldgrid W3 Total Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:15.908Z

Reserved: 2026-04-07T10:48:50.116Z

Link: CVE-2026-39595

cve-icon Vulnrichment

Updated: 2026-06-17T13:30:35.493Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses