{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/eval/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["W3 Total Cache \u003c 2.9.2"],"_cs_severities":["critical"],"_cs_tags":["rce","wordpress","code-injection","eval","w3-total-cache"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA public exploit has been released for CVE-2026-27384, a critical vulnerability in the W3 Total Cache WordPress plugin (versions prior to 2.9.2). This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on the server. The vulnerability lies in the Dynamic Fragment Caching feature (\u003ccode\u003emfunc/mclude\u003c/code\u003e system). The vulnerability is due to a combination of factors, including the lack of \u003ccode\u003epreg_quote()\u003c/code\u003e in sanitizing the \u003ccode\u003eW3TC_DYNAMIC_SECURITY\u003c/code\u003e token, an inconsistency between \u003ccode\u003e\\s*\u003c/code\u003e and \u003ccode\u003e\\s+\u003c/code\u003e in regex matching, and missing token validation. An attacker can exploit this vulnerability by injecting malicious PHP code into a WordPress comment. The exploit was published on Sploitus and assigned a CVSS score of 9.8 (Critical).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site running a vulnerable version of the W3 Total Cache plugin (versions prior to 2.9.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious WordPress comment containing PHP code within \u003ccode\u003emfunc\u003c/code\u003e tags, designed to bypass the \u003ccode\u003estrip_dynamic_fragment_tags_from_string()\u003c/code\u003e function due to the space mismatch vulnerability (\\s* vs \\s+).\u003c/li\u003e\n\u003cli\u003eThe attacker posts the crafted comment to a vulnerable page on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe WordPress site saves the comment, including the malicious payload, to the database and caches the page.\u003c/li\u003e\n\u003cli\u003eA second HTTP request to the cached page triggers the W3 Total Cache plugin to process the cached content.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_has_dynamic()\u003c/code\u003e function checks for the existence of the \u003ccode\u003eW3TC_DYNAMIC_SECURITY\u003c/code\u003e constant but lacks proper validation, allowing the payload to proceed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_parse_dynamic()\u003c/code\u003e function, due to the missing \u003ccode\u003epreg_quote()\u003c/code\u003e function, incorrectly parses the token, leading to code injection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_parse_dynamic_mfunc()\u003c/code\u003e function executes the injected PHP code using \u003ccode\u003eeval()\u003c/code\u003e, resulting in unauthenticated remote code execution. The attacker can then perform actions such as gaining shell access, reading sensitive files, and compromising the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27384 allows an unauthenticated attacker to execute arbitrary PHP code on the affected server with the privileges of the web server user. This can lead to full server compromise, unauthorized access to the WordPress database and files, installation of a web shell for persistent access, and potential pivoting to internal networks. Since it is an unauthenticated vulnerability, any visitor can post a comment that injects malicious PHP code.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the W3 Total Cache plugin to version 2.9.2 or later to patch CVE-2026-27384.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, define a strong, alphanumeric \u003ccode\u003eW3TC_DYNAMIC_SECURITY\u003c/code\u003e token in the \u003ccode\u003ewp-config.php\u003c/code\u003e file as a temporary mitigation.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to comment submission endpoints (\u003ccode\u003e/wp-comments-post.php\u003c/code\u003e, \u003ccode\u003e/wp-json/wp/v2/comments\u003c/code\u003e) with payloads containing \u003ccode\u003emfunc\u003c/code\u003e and \u003ccode\u003eshell_exec\u003c/code\u003e, as detailed in the attack chain (enable webserver logging to activate related rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T11:01:30Z","date_published":"2026-05-26T11:01:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-w3-total-cache-rce/","summary":"A public exploit has been published for CVE-2026-27384, a critical unauthenticated remote code execution vulnerability in the W3 Total Cache WordPress plugin.","title":"CVE-2026-27384: W3 Total Cache Unauthenticated RCE via eval() Code Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-w3-total-cache-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Eval","version":"https://jsonfeed.org/version/1.1"}