{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5032", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-27T16:09:57.552Z", "datePublished": "2026-04-02T07:39:36.011Z", "dateUpdated": "2026-04-02T13:09:19.667Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-02T07:39:36.011Z"}, "affected": [{"vendor": "boldgrid", "product": "W3 Total Cache", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains \"W3 Total Cache\", which causes raw mfunc/mclude dynamic fragment HTML comments \u2014 including the W3TC_DYNAMIC_SECURITY security token \u2014 to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled."}], "title": "W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a65eb62d-847b-4f3a-848b-1290e3118c01?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.9.3/Generic_Plugin.php#L1016"}, {"url": "https://plugins.trac.wordpress.org/changeset/3495959/w3-total-cache"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2026-03-27T16:26:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-01T19:07:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:09:03.149831Z", "id": "CVE-2026-5032", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:09:19.667Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:09:03.149831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:09:14.763Z"}}], "cna": {"title": "W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "boldgrid", "product": "W3 Total Cache", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.9.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-27T16:26:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-01T19:07:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a65eb62d-847b-4f3a-848b-1290e3118c01?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.9.3/Generic_Plugin.php#L1016"}, {"url": "https://plugins.trac.wordpress.org/changeset/3495959/w3-total-cache"}], "descriptions": [{"lang": "en", "value": "The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains \"W3 Total Cache\", which causes raw mfunc/mclude dynamic fragment HTML comments \u2014 including the W3TC_DYNAMIC_SECURITY security token \u2014 to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-02T07:39:36.011Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5032", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:09:19.667Z", "dateReserved": "2026-03-27T16:09:57.552Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-02T07:39:36.011Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. This is due to the plugin bypassing its entire output buffering and processing pipeline when the request's User-Agent header contains \"W3 Total Cache\", which causes raw mfunc/mclude dynamic fragment HTML comments \u2014 including the W3TC_DYNAMIC_SECURITY security token \u2014 to be rendered in the page source. This makes it possible for unauthenticated attackers to discover the value of the W3TC_DYNAMIC_SECURITY constant by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, granted the site has the fragment caching feature enabled."}], "id": "CVE-2026-5032", "lastModified": "2026-04-02T08:16:28.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-02T08:16:28.493", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.9.3/Generic_Plugin.php#L1016"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3495959/w3-total-cache"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a65eb62d-847b-4f3a-848b-1290e3118c01?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "W3 Total Cache", "source": "cna", "vendor": "boldgrid"}, "product": "w3_total_cache", "vendor": "boldgrid"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T09:21:45.803501+00:00", "value": {"mitigation_remediation": ["Upgrade the W3 Total Cache plugin to a version newer than 2.9.3.", "If upgrading immediately is not possible, disable fragment caching or remove dynamic fragment tags to prevent the token from being exposed."], "summary": {"action": "Immediate Patch", "impact": "Security Token Disclosure"}, "threat_synthesis": {"affected_systems": "BoldGrid\u2019s W3 Total Cache plugin for WordPress is affected in all versions up to and including 2.9.3. The vulnerability requires that fragment caching be enabled and that the page contains developer-placed dynamic fragment tags.", "description_and_impact": "The W3 Total Cache WordPress plugin exposes the W3TC_DYNAMIC_SECURITY security token when a request includes a User-Agent header that contains W3 Total Cache. The plugin skips its output buffering process under this condition, causing raw dynamic fragment comments containing the token to be rendered in the page source. An unauthenticated attacker can send a crafted HTTP request to any page that uses developer-placed dynamic fragment tags, provided fragment caching is enabled, and thus learn the token value, resulting in information disclosure.", "risk_and_exploitability": "With a CVSS v3.1 base score of 7.5, this flaw is high severity. The attacker does not need authentication or special privileges; sending a basic HTTP request with a crafted User-Agent header that includes W3 Total Cache is sufficient to trigger the exploit, making it potentially easy to abuse. EPSS data is unavailable, and the vulnerability is not yet listed in the CISA KEV catalog."}}}}, "created": "2026-04-02T20:15:37.859512+00:00", "updated": "2026-04-02T20:22:13.443307+00:00", "vendors": ["boldgrid", "boldgrid$PRODUCT$w3_total_cache", "wordpress", "wordpress$PRODUCT$wordpress"]}