W3 Total Cache < 2.9.4 – Unauthenticated Security Token Exposure via User-Agent Header | CVE 2026-5032

Description

The plugin is vulnerable to information exposure due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains "W3 Total Cache", which causes raw mfunc/mclude dynamic fragment HTML comments — including the W3TC_DYNAMIC_SECURITY security token — to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

w3-total-cache

Fixed in 2.9.4

References

CVE

CVE-2026-5032

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a65eb62d-847b-4f3a-848b-1290e3118c01

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.9 (medium)

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

Yes

WPVDB ID

23ddee99-f758-4ff5-9963-0304ce062c30

Timeline

Publicly Published

2026-04-01 (about 1 month ago)

Added

2026-04-02 (about 1 month ago)

Last Updated

2026-04-13 (about 1 month ago)

Other

Published

Title

Published

2026-04-08

Title

BackupBliss – Backup & Migration with Free Cloud Storage < 2.1.2 - Unauthenticated Information Exposure

Published

2026-02-17

Title

WP All Export < 1.4.15 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling

Published

2022-02-14

Title

Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure

Published

2024-07-04

Title

FileBird Document Library < 2.0.8 - Unauthenticated Sensitive Information Exposure

Published

2025-01-13

Title

W3 Total Cache < 2.8.2 - Information Exposure via Log Files