WordPress: W3 Total Cache Vulnerability CVE-2026-27384

Update timeline

1. investigating Mar 06, 2026, 06:21 PM UTC

   We have been made aware of a critical vulnerability, CVE-2026-27384, affecting versions equal to or less than 2.9.1, of the WordPress W3 Total Cache plugin. Recommended Action We strongly encourage all clients to update any sites running versions 2.9.1 or older to the patched version 2.9.2 immediately. Current Status Exploit Availability: There are currently no known public Proof of Concept (PoC) exploits for this vulnerability. Our team is assessing the impact on our managed sites and evaluating the deployment of necessary patches across our managed systems. We will provide further updates as they become available. If you have any questions or require assistance with the update, please reach out to our support team.

2. identified Mar 06, 2026, 08:20 PM UTC

   We have been made aware of a critical vulnerability, CVE-2026-27384, affecting versions equal to or less than 2.9.1, of the WordPress W3 Total Cache plugin. Recommended Action We strongly encourage all clients to update any sites running versions 2.9.1 or older to the patched version 2.9.2 immediately. Current Status Exploit Availability: There are currently no known public Proof of Concept (PoC) exploits for this vulnerability. Our team is currently applying patches to instances of outdated W3TC plugins that we were able to identify on our managed systems. You may receive server login notifications from internal IPs as we patch detected W3TC installations. We will provide further updates as they become available. If you have any questions or require assistance with the update, please reach out to our support team.

3. monitoring Mar 09, 2026, 08:10 AM UTC

   Update Our team has now applied patches to all instances of the W3 Total Cache plugin across our managed systems where the update was possible based on the current WordPress and PHP version requirements. In some environments, the patch could not be applied as the underlying WordPress or PHP versions do not meet the minimum compatibility requirements for the updated plugin, or due to other configuration limitations. These instances will require updates at the application or environment level before the plugin can be upgraded. For cases where the patch could not be applied for the reasons mentioned above, we will be reaching out to the affected clients directly with additional details and recommended next steps. Recommended Action Clients with sites running W3 Total Cache version 2.9.1 or earlier are strongly advised to update to the patched version 2.9.2 as soon as possible. Where the plugin update is not currently possible due to WordPress or PHP version constraints, we recommend upgrading WordPress and/or PHP first, and then completing the update to W3 Total Cache version 2.9.2 or later at the earliest opportunity. If you require assistance with upgrading your environment or applying the update, please contact our support team, who will be happy to assist. We will continue to monitor this matter and will provide further updates here should any additional actions be required.

4. resolved Mar 10, 2026, 06:28 AM UTC

   Update Our team has completed patching the W3 Total Cache plugin across all managed systems where the update was possible based on the current WordPress and PHP version requirements. In cases where the patch could not be applied due to compatibility constraints or other configuration limitations, the affected clients have been contacted directly with the relevant details and recommended next steps. In most instances, this involves upgrading the underlying WordPress and/or PHP versions before updating the plugin. At this time, the planned remediation work has been completed and this matter is considered resolved. Recommended Action Clients with sites running W3 Total Cache version 2.9.1 or earlier are encouraged to update to the patched version 2.9.2 as soon as possible. Where the update is not currently possible due to WordPress or PHP version constraints, please upgrade those components first and then proceed with the plugin update. If you require assistance with completing the update, please contact our support team. Thank you for your patience and understanding while we worked to address this matter.