CVE-2026-27384: W3 Total Cache Unauthenticated RCE via eval() Code Injection

A public exploit has been released for CVE-2026-27384, a critical vulnerability in the W3 Total Cache WordPress plugin (versions prior to 2.9.2). This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on the server. The vulnerability lies in the Dynamic Fragment Caching feature (mfunc/mclude system). The vulnerability is due to a combination of factors, including the lack of preg_quote() in sanitizing the W3TC_DYNAMIC_SECURITY token, an inconsistency between \s* and \s+ in regex matching, and missing token validation. An attacker can exploit this vulnerability by injecting malicious PHP code into a WordPress comment. The exploit was published on Sploitus and assigned a CVSS score of 9.8 (Critical).

Attack Chain

1. The attacker identifies a WordPress site running a vulnerable version of the W3 Total Cache plugin (versions prior to 2.9.2).
2. The attacker crafts a malicious WordPress comment containing PHP code within mfunc tags, designed to bypass the strip_dynamic_fragment_tags_from_string() function due to the space mismatch vulnerability (\s* vs \s+).
3. The attacker posts the crafted comment to a vulnerable page on the WordPress site.
4. The WordPress site saves the comment, including the malicious payload, to the database and caches the page.
5. A second HTTP request to the cached page triggers the W3 Total Cache plugin to process the cached content.
6. The _has_dynamic() function checks for the existence of the W3TC_DYNAMIC_SECURITY constant but lacks proper validation, allowing the payload to proceed.
7. The _parse_dynamic() function, due to the missing preg_quote() function, incorrectly parses the token, leading to code injection.
8. The _parse_dynamic_mfunc() function executes the injected PHP code using eval(), resulting in unauthenticated remote code execution. The attacker can then perform actions such as gaining shell access, reading sensitive files, and compromising the server.

Impact

Successful exploitation of CVE-2026-27384 allows an unauthenticated attacker to execute arbitrary PHP code on the affected server with the privileges of the web server user. This can lead to full server compromise, unauthorized access to the WordPress database and files, installation of a web shell for persistent access, and potential pivoting to internal networks. Since it is an unauthenticated vulnerability, any visitor can post a comment that injects malicious PHP code.

Recommendation

• Upgrade the W3 Total Cache plugin to version 2.9.2 or later to patch CVE-2026-27384.
• If upgrading is not immediately possible, define a strong, alphanumeric W3TC_DYNAMIC_SECURITY token in the wp-config.php file as a temporary mitigation.
• Monitor web server logs for suspicious POST requests to comment submission endpoints (/wp-comments-post.php, /wp-json/wp/v2/comments) with payloads containing mfunc and shell_exec, as detailed in the attack chain (enable webserver logging to activate related rules).