Description
The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Security Token Disclosure
Action: Immediate Patch
AI Analysis

Impact

The W3 Total Cache WordPress plugin exposes the W3TC_DYNAMIC_SECURITY security token when a request includes a User-Agent header that contains W3 Total Cache. The plugin skips its output buffering process under this condition, causing raw dynamic fragment comments containing the token to be rendered in the page source. An unauthenticated attacker can send a crafted HTTP request to any page that uses developer-placed dynamic fragment tags, provided fragment caching is enabled, and thus learn the token value, resulting in information disclosure.

Affected Systems

BoldGrid’s W3 Total Cache plugin for WordPress is affected in all versions up to and including 2.9.3. The vulnerability requires that fragment caching be enabled and that the page contains developer-placed dynamic fragment tags.

Risk and Exploitability

With a CVSS v3.1 base score of 7.5, this flaw is high severity. The attacker does not need authentication or special privileges; sending a basic HTTP request with a crafted User-Agent header that includes W3 Total Cache is sufficient to trigger the exploit, making it potentially easy to abuse. EPSS data is unavailable, and the vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 2, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the W3 Total Cache plugin to a version newer than 2.9.3.
  • If upgrading immediately is not possible, disable fragment caching or remove dynamic fragment tags to prevent the token from being exposed.

Generated by OpenCVE AI on April 2, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid w3 Total Cache
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid w3 Total Cache
Wordpress
Wordpress wordpress

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled.
Title W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Boldgrid W3 Total Cache
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-02T13:09:19.667Z

Reserved: 2026-03-27T16:09:57.552Z

Link: CVE-2026-5032

cve-icon Vulnrichment

Updated: 2026-04-02T13:09:14.763Z

cve-icon NVD

Status : Received

Published: 2026-04-02T08:16:28.493

Modified: 2026-04-02T08:16:28.493

Link: CVE-2026-5032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:13Z

Weaknesses