{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/w3-total-cache-plugin--2.9.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-9282"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WordPress","W3 Total Cache plugin (\u003c 2.9.5)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","directory-traversal","cve","web-exploit"],"_cs_type":"advisory","_cs_vendors":["WordPress","W3 Total Cache"],"content_html":"\u003cp\u003eA critical directory traversal vulnerability, identified as CVE-2026-9282, affects all versions of the W3 Total Cache plugin for WordPress up to and including 2.9.4. This flaw is located within the \u003ccode\u003esetupSources\u003c/code\u003e function of the plugin, enabling unauthenticated attackers to read the contents of arbitrary files on the hosting server. Successful exploitation requires that the target WordPress installation has \u0026quot;manual minify mode\u0026quot; enabled. Attackers craft specific HTTP requests that include a malformed \u003ccode\u003emanual-format minify filename\u003c/code\u003e parameter. This manipulation leads to an empty hash value and prevents the \u003ccode\u003ef_array[]\u003c/code\u003e entries from being overwritten, allowing the \u003ccode\u003esetupSources()\u003c/code\u003e function to process directory traversal sequences. The vulnerability poses a significant risk as it can expose sensitive information stored on the server, including configuration files, user credentials, or other proprietary data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress instance running a vulnerable version of the W3 Total Cache plugin (versions 2.9.4 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the target WordPress site has \u0026quot;manual minify mode\u0026quot; enabled within the W3 Total Cache plugin settings.\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a specially crafted HTTP GET request targeting a W3 Total Cache processing endpoint, such as \u003ccode\u003eminify.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003efilename\u003c/code\u003e parameter set to \u0026quot;manual-format\u0026quot; and an \u003ccode\u003ef_array[]\u003c/code\u003e parameter containing directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) concatenated with the path to a desired arbitrary file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis specific combination of parameters bypasses internal validation checks within the plugin.\u003c/li\u003e\n\u003cli\u003eThe request causes the plugin's internal hash to become empty, preventing legitimate \u003ccode\u003ef_array[]\u003c/code\u003e entries from being overwritten.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esetupSources()\u003c/code\u003e function is consequently invoked, processing the attacker-controlled \u003ccode\u003ef_array[]\u003c/code\u003e value as part of a file path.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the arbitrary file specified by the attacker's directory traversal payload and returns its contents within the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9282 allows unauthenticated attackers to read any arbitrary file on the compromised web server. This direct access to the filesystem can lead to the exposure of highly sensitive information, such as database credentials, configuration files containing API keys, user lists, and other proprietary data. The compromise of such data can enable further attacks, including privilege escalation, full system compromise, or data exfiltration, severely impacting the confidentiality and integrity of the affected WordPress site and potentially other services on the same host. While no specific victim counts are provided, WordPress is widely used, making many organizations susceptible if they use the affected plugin version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch the W3 Total Cache plugin to version 2.9.5 or higher to remediate CVE-2026-9282.\u003c/li\u003e\n\u003cli\u003eMonitor webserver access logs for HTTP GET requests containing \u003ccode\u003e/wp-content/plugins/w3-total-cache/\u003c/code\u003e in the URI stem and suspicious patterns like \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..%2f\u003c/code\u003e, or \u003ccode\u003ef_array%5B%5D\u003c/code\u003e in the URI query. Deploy the provided Sigma rule to detect such attempts.\u003c/li\u003e\n\u003cli\u003eDisable \u0026quot;manual minify mode\u0026quot; in the W3 Total Cache plugin if it is not explicitly required for your site's operation.\u003c/li\u003e\n\u003cli\u003eRegularly review web server and application logs for unusual file access patterns or unexpected HTTP responses (e.g., content of system files returned).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T07:23:54Z","date_published":"2026-07-11T07:23:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9282-w3-total-cache/","summary":"An unauthenticated directory traversal vulnerability (CVE-2026-9282) in all versions up to 2.9.4 of the W3 Total Cache plugin for WordPress allows attackers to read arbitrary files by manipulating the minify filename when manual minify mode is enabled.","title":"Directory Traversal in W3 Total Cache WordPress Plugin (CVE-2026-9282)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9282-w3-total-cache/"}],"language":"en","title":"CraftedSignal Threat Feed - W3 Total Cache Plugin (\u003c 2.9.5)","version":"https://jsonfeed.org/version/1.1"}