7.5

CVE-2026-5032

EPSS 0.06%
Veröffentlicht 02.04.2026 07:39:36
Zuletzt bearbeitet 27.04.2026 19:04:22
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header

W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header

The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled. With the leaked W3TC_DYNAMIC_SECURITY token, an attacker can craft valid mfunc tags to execute arbitrary PHP code on the server, achieving remote code execution.

Mögliche Gegenmaßnahme

W3 Total Cache: Update to version 2.9.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerboldgrid

≫

Produkt W3 Total Cache

Default Statusunaffected

Version <= 2.9.3

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt W3 Total Cache

Version *-2.9.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.197

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.wordfence.com/threat-intel/vulnerabilities/id/a65eb62d-847b-4f3a-848b-1290e3118c01?source=cve

https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.9.3/Generic_Plugin.php#L1016

https://plugins.trac.wordpress.org/changeset/3495959/w3-total-cache

https://www.wordfence.com/threat-intel/vulnerabilities/id/a65eb62d-847b-4f3a-848b-1290e3118c01

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-5032

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5032

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5032

EUVD