Skip to content
Threat Feed
high advisory

Directory Traversal in W3 Total Cache WordPress Plugin (CVE-2026-9282)

An unauthenticated directory traversal vulnerability (CVE-2026-9282) in all versions up to 2.9.4 of the W3 Total Cache plugin for WordPress allows attackers to read arbitrary files by manipulating the minify filename when manual minify mode is enabled.

A critical directory traversal vulnerability, identified as CVE-2026-9282, affects all versions of the W3 Total Cache plugin for WordPress up to and including 2.9.4. This flaw is located within the setupSources function of the plugin, enabling unauthenticated attackers to read the contents of arbitrary files on the hosting server. Successful exploitation requires that the target WordPress installation has "manual minify mode" enabled. Attackers craft specific HTTP requests that include a malformed manual-format minify filename parameter. This manipulation leads to an empty hash value and prevents the f_array[] entries from being overwritten, allowing the setupSources() function to process directory traversal sequences. The vulnerability poses a significant risk as it can expose sensitive information stored on the server, including configuration files, user credentials, or other proprietary data.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress instance running a vulnerable version of the W3 Total Cache plugin (versions 2.9.4 or earlier).
  2. The attacker determines that the target WordPress site has "manual minify mode" enabled within the W3 Total Cache plugin settings.
  3. The attacker constructs a specially crafted HTTP GET request targeting a W3 Total Cache processing endpoint, such as minify.php.
  4. The request includes a filename parameter set to "manual-format" and an f_array[] parameter containing directory traversal sequences (e.g., ../../) concatenated with the path to a desired arbitrary file (e.g., /etc/passwd).
  5. This specific combination of parameters bypasses internal validation checks within the plugin.
  6. The request causes the plugin's internal hash to become empty, preventing legitimate f_array[] entries from being overwritten.
  7. The vulnerable setupSources() function is consequently invoked, processing the attacker-controlled f_array[] value as part of a file path.
  8. The server reads the content of the arbitrary file specified by the attacker's directory traversal payload and returns its contents within the HTTP response.

Impact

Successful exploitation of CVE-2026-9282 allows unauthenticated attackers to read any arbitrary file on the compromised web server. This direct access to the filesystem can lead to the exposure of highly sensitive information, such as database credentials, configuration files containing API keys, user lists, and other proprietary data. The compromise of such data can enable further attacks, including privilege escalation, full system compromise, or data exfiltration, severely impacting the confidentiality and integrity of the affected WordPress site and potentially other services on the same host. While no specific victim counts are provided, WordPress is widely used, making many organizations susceptible if they use the affected plugin version.

Recommendation

  • Immediately patch the W3 Total Cache plugin to version 2.9.5 or higher to remediate CVE-2026-9282.
  • Monitor webserver access logs for HTTP GET requests containing /wp-content/plugins/w3-total-cache/ in the URI stem and suspicious patterns like ../, ..%2f, or f_array%5B%5D in the URI query. Deploy the provided Sigma rule to detect such attempts.
  • Disable "manual minify mode" in the W3 Total Cache plugin if it is not explicitly required for your site's operation.
  • Regularly review web server and application logs for unusual file access patterns or unexpected HTTP responses (e.g., content of system files returned).

Detection coverage 1

Detects CVE-2026-9282 Exploitation - W3 Total Cache Directory Traversal

high

Detects exploitation attempts against CVE-2026-9282, a directory traversal vulnerability in W3 Total Cache plugin via crafted HTTP GET requests with specific filename and array parameters.

sigma tactics: collection, discovery, initial_access techniques: T1005, T1083, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →