Platform
wordpress
Component
w3-total-cache
Fixed in
3.0.0
CVE-2026-27384 describes an Improper Validation of Specified Quantity in Input vulnerability within BoldGrid W3 Total Cache. This flaw allows attackers to bypass Access Control Lists (ACLs), granting them unauthorized access to functionality. The vulnerability impacts versions from 0.0.0 up to and including 2.9.1, and a patch is available in version 2.9.2.
The ACL bypass nature of this vulnerability is particularly concerning. An attacker exploiting CVE-2026-27384 could potentially gain administrative access to the WordPress site utilizing W3 Total Cache. This could lead to complete compromise of the website, including data exfiltration, modification of content, and installation of malicious code. The blast radius extends to any sensitive data stored or processed by the website, and the attacker could leverage this access to move laterally within the network if the web server has access to other systems. The lack of proper input validation makes this a high-risk vulnerability, as it requires minimal effort to exploit.
CVE-2026-27384 was published on 2026-03-05. The vulnerability's criticality (CVSS score of 9) indicates a high probability of exploitation. As of this writing, there are no publicly known Proof-of-Concept (POC) exploits, but the ease of exploitation suggests that it is likely to become a target for automated scanners and malicious actors. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, but its severity warrants close monitoring.
Exploit Status
EPSS
0.07% (22% percentile)
CVSS Vector
The primary mitigation for CVE-2026-27384 is to immediately upgrade W3 Total Cache to version 2.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious input patterns related to quantity parameters. Carefully review W3 Total Cache configuration, ensuring that access controls are as restrictive as possible. Monitor web server logs for unusual activity, specifically looking for requests attempting to access restricted functionality. After upgrading, confirm the fix by attempting to access restricted functionality with a non-privileged user account.
Update to version 2.9.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27384 is a critical vulnerability in BoldGrid W3 Total Cache allowing attackers to bypass access controls and potentially gain unauthorized access to website functionality. It affects versions 0.0.0 through 2.9.1.
If you are using BoldGrid W3 Total Cache version 2.9.1 or earlier, you are vulnerable to this ACL bypass issue. Check your plugin version immediately.
Upgrade W3 Total Cache to version 2.9.2 or later to resolve this vulnerability. If immediate upgrade isn't possible, implement WAF rules and monitor logs.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation attempts.
Refer to the official BoldGrid security advisory for detailed information and updates regarding CVE-2026-27384: [https://kb.boldgrid.com/article/w3-total-cache-security-update-292-20260305/](https://kb.boldgrid.com/article/w3-total-cache-security-update-292-20260305/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.