Directory Traversal Vulnerability in W3 Total Cache Plugin for WordPress
CVE-2026-9282

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-9282?

The W3 Total Cache plugin for WordPress suffers from a directory traversal vulnerability that affects all versions up to and including 2.9.4. By exploiting this flaw, an unauthenticated attacker can gain unauthorized access to arbitrary files on the server. This occurs through the setupSources function when manual minify mode is activated. Attackers can supply a manual-format minify filename that results in an empty hash, allowing them to bypass normal security checks and access sensitive file contents. It is crucial for users of this plugin to take immediate action to mitigate potential risks.

Affected Version(s)

W3 Total Cache 0 <= 2.9.4

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

snr
.