CVE-2026-39595
Deferred Deferred - Pending Action

Broken Access Control in W3 Total Cache Plugin

Vulnerability report for CVE-2026-39595, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Author Broken Access Control in W3 Total Cache <= 2.9.1 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress w3_total_cache to 2.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-39595 is a broken access control vulnerability in the WordPress W3 Total Cache Plugin versions 2.9.1 and earlier.

The issue arises because of missing authorization, authentication, or nonce token checks, which means that unprivileged users could perform actions that normally require higher privileges.

This flaw is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS score of 4.7, indicating a low severity impact.

Impact Analysis

This vulnerability could allow attackers with low privileges to execute actions that require higher privileges on websites using the affected plugin versions.

Although the severity is considered low, attackers might exploit this vulnerability in mass campaigns targeting many websites, potentially leading to unauthorized changes or disruptions.

Immediate action to update the plugin to version 2.9.2 or later is recommended to mitigate this risk.

Mitigation Strategies

The immediate step to mitigate the CVE-2026-39595 vulnerability is to update the WordPress W3 Total Cache plugin to version 2.9.2 or later.

Additionally, enabling auto-updates for vulnerable plugins via Patchstack can help ensure that your plugins remain up to date and protected against this and similar vulnerabilities.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-39595 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

The CVE-2026-39595 vulnerability affects WordPress sites running the W3 Total Cache plugin version 2.9.1 or earlier. Detection involves verifying the plugin version installed on your WordPress system.

To detect if your system is vulnerable, check the installed version of the W3 Total Cache plugin. This can be done by accessing the WordPress admin dashboard under Plugins or by inspecting the plugin files directly.

From the command line, you can use the following commands to check the plugin version if you have access to the WordPress installation directory:

  • Navigate to the plugins directory: cd /path/to/wordpress/wp-content/plugins/w3-total-cache
  • Check the version in the main plugin file (usually w3-total-cache.php) by running: grep 'Version' w3-total-cache.php

If the version is 2.9.1 or earlier, your system is vulnerable to this broken access control issue.

Additionally, monitoring for unusual or unauthorized actions that require higher privileges on your WordPress site may help detect exploitation attempts, but no specific network detection commands or signatures are provided.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart