Impact
A legitimate access-control check was missing in the WordPress W3 Total Cache plugin, allowing unauthorized users to perform actions that should be restricted. The flaw does not directly grant remote code execution or escalation of privilege, but it can compromise the confidentiality or integrity of cached data and the overall application by letting attackers read or modify content they should not access.
Affected Systems
WordPress users running the BoldGrid W3 Total Cache plugin version 2.9.1 or earlier are affected. Any site that has failed to update to 2.9.2 or a later patch maintains the vulnerability.
Risk and Exploitability
The CVSS score of 4.7 indicates a moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need a web‑based endpoint that interacts with the flawed plugin, which is typical of normal site traffic. The broken access control can be leveraged without exploit code or elevated permissions, making the condition fairly easy to exploit on a publicly accessible site.
OpenCVE Enrichment