Directory Traversal Vulnerability in W3 Total Cache Plugin for WordPress
CVE-2026-9282
7.5HIGH
What is CVE-2026-9282?
The W3 Total Cache plugin for WordPress suffers from a directory traversal vulnerability that affects all versions up to and including 2.9.4. By exploiting this flaw, an unauthenticated attacker can gain unauthorized access to arbitrary files on the server. This occurs through the setupSources function when manual minify mode is activated. Attackers can supply a manual-format minify filename that results in an empty hash, allowing them to bypass normal security checks and access sensitive file contents. It is crucial for users of this plugin to take immediate action to mitigate potential risks.
Affected Version(s)
W3 Total Cache 0 <= 2.9.4