W3 Total Cache < 2.7.6 – Sensitive Credentials Stored in Plaintext | CVE 2023-5359 | Plugin Vulnerabilities

Description

The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.

Affects Plugins

Fixed in 2.7.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2d89a534-978e-4fd8-be3a-5137bdc22dc9

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Ivan Kuzymchak

Verified

No

WPVDB ID

fa72da03-fab6-4f28-976a-a6f8f31e3a30

Timeline

Publicly Published

2024-09-23 (about 1 year ago)

Added

2024-09-23 (about 1 year ago)

Last Updated

2026-04-13 (about 1 month ago)

Other

Published

Title

Published

2026-04-29

Title

WPPizza – A Restaurant Plugin < 3.20 - Authenticated (Subscriber+) Information Exposure

Published

2025-04-16

Title

Church Admin < 5.0.10 - Unauthenticated Information Disclosure

Published

2024-04-22

Title

VikRentCar Car Rental Management System < 1.3.3 - Information Exposure

Published

2025-12-15

Title

Sober < 3.5.12 - Unauthenticated Information Exposure

Published

2026-02-22

Title

BSK PDF Manager <= 3.7.2 - Unauthenticated Information Exposure