Description
The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled. With the leaked W3TC_DYNAMIC_SECURITY token, an attacker can craft valid mfunc tags to execute arbitrary PHP code on the server, achieving remote code execution.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The W3 Total Cache plugin for WordPress contains a flaw whereby an attacker can send a crafted User‑Agent header that contains the string "W3 Total Cache" to bypass the plugin’s output filtering. This bypass leaks raw mfunc/mclude dynamic fragment HTML comments, including the W3TC_DYNAMIC_SECURITY security token, into the rendered page source. An unauthenticated attacker who obtains this token can inject mfunc tags that execute arbitrary PHP code on the server, leading to full remote code execution.

Affected Systems

All WordPress sites using the BoldGrid W3 Total Cache plugin at or below version 2.9.3 are affected. The issue requires that the fragment caching feature be enabled and that the site contain developer‑placed dynamic fragment tags. Versions newer than 2.9.3 are not vulnerable.

Risk and Exploitability

The flaw has a CVSS base score of 7.5, indicating high severity, and an EPSS score of less than 1 %, suggesting a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Because authentication is not required and the required payload is a specially crafted HTTP request, the likely attack vector is remote over the web. Administrators should assess whether any site meets the prerequisites and apply the recommended fix promptly.

Generated by OpenCVE AI on April 8, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the W3 Total Cache plugin to version 2.9.4 or later
  • If an upgrade is not possible immediately, temporarily disable the fragment caching feature or remove dynamic fragment tags
  • Monitor incoming traffic for suspicious User‑Agent headers and unusual PHP execution attempts
  • Verify that the W3TC_DYNAMIC_SECURITY token is no longer exposed in page source
  • Follow vendor advisories for further updates

Generated by OpenCVE AI on April 8, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled. The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled. With the leaked W3TC_DYNAMIC_SECURITY token, an attacker can craft valid mfunc tags to execute arbitrary PHP code on the server, achieving remote code execution.

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid w3 Total Cache
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid w3 Total Cache
Wordpress
Wordpress wordpress

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled.
Title W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Boldgrid W3 Total Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:29.087Z

Reserved: 2026-03-27T16:09:57.552Z

Link: CVE-2026-5032

cve-icon Vulnrichment

Updated: 2026-04-02T13:09:14.763Z

cve-icon NVD

Status : Deferred

Published: 2026-04-02T08:16:28.493

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-5032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:02:28Z

Weaknesses