WordPress Plugin Vulnerabilities

W3 Total Cache < 2.9.2 - Unauthenticated Arbitrary Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for unauthenticated attackers to execute code on the server.

Affects Plugins

Plugin icon
w3-total-cache
Fixed in 2.9.2

References

CVE
CVE-2026-27384
URL
https://vdp.patchstack.com/database/wordpress/plugin/w3-total-cache/vulnerability/wordpress-w3-total-cache-plugin-2-9-1-arbitrary-code-execution-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.1 (high)

Miscellaneous

Original Researcher
CODE WHITE GmbH
Verified
No
WPVDB ID
97e0af68-1450-4187-8e5a-4332214ef1ac

Timeline

Publicly Published
2026-02-24 (about 2 months ago)
Added
2026-03-05 (about 2 months ago)
Last Updated
2026-04-13 (about 22 days ago)

Other

Published
Title
Published
2025-05-02
Title
Motors - Car Dealer, Rental & Listing WordPress theme < 5.6.66 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-04-17
Title
HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.5.3 - Subscriber+ Remote Code Execution
Published
2025-05-16
Title
RS WP Book Showcase <= 6.7.57 - Unauthenticated Arbitrary Shortcode Execution
Published
2021-12-05
Title
Modal Window < 5.2.2 - RFI leading to RCE via CSRF
Published
2024-10-29
Title
Enable Shortcodes inside Widgets,Comments and Experts <= 1.0.0 - Unauthenticated Arbitrary Shortcode Execution