<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>W3 Total Cache Plugin (&lt; 2.9.5) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/w3-total-cache-plugin--2.9.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 07:23:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/w3-total-cache-plugin--2.9.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>Directory Traversal in W3 Total Cache WordPress Plugin (CVE-2026-9282)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9282-w3-total-cache/</link><pubDate>Sat, 11 Jul 2026 07:23:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9282-w3-total-cache/</guid><description>An unauthenticated directory traversal vulnerability (CVE-2026-9282) in all versions up to 2.9.4 of the W3 Total Cache plugin for WordPress allows attackers to read arbitrary files by manipulating the minify filename when manual minify mode is enabled.</description><content:encoded><![CDATA[<p>A critical directory traversal vulnerability, identified as CVE-2026-9282, affects all versions of the W3 Total Cache plugin for WordPress up to and including 2.9.4. This flaw is located within the <code>setupSources</code> function of the plugin, enabling unauthenticated attackers to read the contents of arbitrary files on the hosting server. Successful exploitation requires that the target WordPress installation has &quot;manual minify mode&quot; enabled. Attackers craft specific HTTP requests that include a malformed <code>manual-format minify filename</code> parameter. This manipulation leads to an empty hash value and prevents the <code>f_array[]</code> entries from being overwritten, allowing the <code>setupSources()</code> function to process directory traversal sequences. The vulnerability poses a significant risk as it can expose sensitive information stored on the server, including configuration files, user credentials, or other proprietary data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress instance running a vulnerable version of the W3 Total Cache plugin (versions 2.9.4 or earlier).</li>
<li>The attacker determines that the target WordPress site has &quot;manual minify mode&quot; enabled within the W3 Total Cache plugin settings.</li>
<li>The attacker constructs a specially crafted HTTP GET request targeting a W3 Total Cache processing endpoint, such as <code>minify.php</code>.</li>
<li>The request includes a <code>filename</code> parameter set to &quot;manual-format&quot; and an <code>f_array[]</code> parameter containing directory traversal sequences (e.g., <code>../../</code>) concatenated with the path to a desired arbitrary file (e.g., <code>/etc/passwd</code>).</li>
<li>This specific combination of parameters bypasses internal validation checks within the plugin.</li>
<li>The request causes the plugin's internal hash to become empty, preventing legitimate <code>f_array[]</code> entries from being overwritten.</li>
<li>The vulnerable <code>setupSources()</code> function is consequently invoked, processing the attacker-controlled <code>f_array[]</code> value as part of a file path.</li>
<li>The server reads the content of the arbitrary file specified by the attacker's directory traversal payload and returns its contents within the HTTP response.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-9282 allows unauthenticated attackers to read any arbitrary file on the compromised web server. This direct access to the filesystem can lead to the exposure of highly sensitive information, such as database credentials, configuration files containing API keys, user lists, and other proprietary data. The compromise of such data can enable further attacks, including privilege escalation, full system compromise, or data exfiltration, severely impacting the confidentiality and integrity of the affected WordPress site and potentially other services on the same host. While no specific victim counts are provided, WordPress is widely used, making many organizations susceptible if they use the affected plugin version.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch the W3 Total Cache plugin to version 2.9.5 or higher to remediate CVE-2026-9282.</li>
<li>Monitor webserver access logs for HTTP GET requests containing <code>/wp-content/plugins/w3-total-cache/</code> in the URI stem and suspicious patterns like <code>../</code>, <code>..%2f</code>, or <code>f_array%5B%5D</code> in the URI query. Deploy the provided Sigma rule to detect such attempts.</li>
<li>Disable &quot;manual minify mode&quot; in the W3 Total Cache plugin if it is not explicitly required for your site's operation.</li>
<li>Regularly review web server and application logs for unusual file access patterns or unexpected HTTP responses (e.g., content of system files returned).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>directory-traversal</category><category>cve</category><category>web-exploit</category></item></channel></rss>