- Posts
Hi,
We use your free version through Liquid Web and really like it, but I got a notice today that there is a security risk: The W3 Total Cache plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to execute code on the server.
References
vdp.patchstack.com (https://vdp.patchstack.com/database/wordpress/plugin/w3-total-cache/vulnerability/wordpress-w3-total-cache-plugin-2-9-1-arbitrary-code-execution-vulnerability)The CVSS is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and it’s rated as 9.8 (critical). The CVE is https://www.cve.org/CVERecord?id=CVE-2026-27384.
The issue was reported on 2-24-2026 and no update has been made as of today. My report is coming through WordFence.
Please let me know if plans are in place to patch this soon.
Thank you,
Holly
Learning Systems ManagerHello Holly
Thank you for reaching out and I am happy to help!
Can you please update the plugin to the latest W3 Total Cache 2.9.2 release, as the patch fix was added to remedy this issue?
Thanks!
- The topic ‘Security: CVE-2026-27384’ is closed to new replies.
