Platform
wordpress
Component
w3-total-cache
Fixed in
2.9.4
CVE-2026-5032 describes an information exposure vulnerability within the W3 Total Cache plugin for WordPress. This flaw allows unauthenticated attackers to discover the value of the W3TCDYNAMICSECURITY constant, potentially leading to unauthorized access or further exploitation. The vulnerability affects versions 0 up to and including 2.9.3 of the W3 Total Cache plugin. A fix is available in version 2.9.4.
CVE-2026-5032 in the W3 Total Cache plugin for WordPress represents an information exposure vulnerability affecting versions up to and including 2.9.3. The plugin bypasses its entire output buffering and processing pipeline when the request's User-Agent header contains 'W3 Total Cache'. This leads to raw mfunc/mclude dynamic fragment HTML comments, including the W3TCDYNAMICSECURITY security token, being rendered in the page source. An unauthenticated attacker can then discover the value of this token.
An attacker can exploit this vulnerability by sending an HTTP request with a User-Agent header containing the string 'W3 Total Cache'. This can be easily accomplished using tools like curl or modified web browsers. Once the W3TCDYNAMICSECURITY token is discovered, the attacker could potentially use it to perform malicious actions, such as content manipulation or code injection, depending on how the token is utilized within the website.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to update the W3 Total Cache plugin to version 2.9.4 or later. This version corrects the vulnerability by ensuring the output buffering and processing pipeline is correctly applied, even when the User-Agent header contains 'W3 Total Cache'. Prior to updating, it's strongly advised to create a full backup of your website. Additionally, review server logs for any suspicious activity that might indicate prior exploitation.
Update to version 2.9.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a security token used by W3 Total Cache to protect certain dynamic elements of the website.
Verify the version of the W3 Total Cache plugin. If it's less than 2.9.4, it is vulnerable.
Change all passwords related to the website, including the database and WordPress admin panel. Perform a comprehensive security scan.
Yes, there are WordPress vulnerability scanners that can detect this vulnerability.
While not strictly required, disabling the plugin until it's updated is recommended to minimize the risk of exploitation.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.