CVE-2026-9282
Received Received - Intake

Directory Traversal in W3 Total Cache WordPress Plugin

Vulnerability report for CVE-2026-9282, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires enabling manual minify mode and supplying a manual-format minify filename so that the hash is empty and the f_array[] entries are not overwritten before reaching setupSources().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress total_cache to 2.9.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The W3 Total Cache plugin for WordPress has a Directory Traversal vulnerability in all versions up to and including 2.9.4. This vulnerability exists in the setupSources function and allows unauthenticated attackers to read arbitrary files on the server.

To exploit this, an attacker must enable manual minify mode and provide a manual-format minify filename so that the hash is empty and certain array entries are not overwritten before reaching the vulnerable function.

Impact Analysis

This vulnerability can allow attackers to read sensitive files on the server without authentication. Such files may contain confidential information, potentially leading to information disclosure.

The CVSS score of 7.5 indicates a high severity impact on confidentiality, though it does not affect integrity or availability.

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files on the server, which can include sensitive information. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

Specifically, unauthorized disclosure of sensitive data due to this directory traversal vulnerability may violate confidentiality requirements mandated by these standards, potentially resulting in legal and regulatory consequences for affected organizations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart