PT-2026-57422 · WordPress · W3 Total Cache
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-9282
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
W3 Total Cache versions prior to 2.9.5
Description
A Directory Traversal issue exists in the
setupSources() function. This allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information. Exploitation occurs when manual minify mode is enabled and a manual-format minify filename is provided, resulting in an empty hash and preventing f array[] entries from being overwritten before the function is executed.Recommendations
Update the plugin to version 2.9.5 or later.
As a temporary mitigation, disable manual minify mode to prevent the exploitation of the
setupSources() function.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
W3 Total Cache