PT-2026-57422 · WordPress · W3 Total Cache

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-9282

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions W3 Total Cache versions prior to 2.9.5
Description A Directory Traversal issue exists in the setupSources() function. This allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information. Exploitation occurs when manual minify mode is enabled and a manual-format minify filename is provided, resulting in an empty hash and preventing f array[] entries from being overwritten before the function is executed.
Recommendations Update the plugin to version 2.9.5 or later. As a temporary mitigation, disable manual minify mode to prevent the exploitation of the setupSources() function.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9282

Affected Products

W3 Total Cache