WordPress: W3 Total Cache Vulnerability CVE-2026-27384
Incident
Report for Liquid Web - Services
Subscribe to Updates
Monitoring
Update
Our team has now applied patches to all instances of the W3 Total Cache plugin across our managed systems where the update was possible based on the current WordPress and PHP version requirements.
In some environments, the patch could not be applied as the underlying WordPress or PHP versions do not meet the minimum compatibility requirements for the updated plugin, or due to other configuration limitations. These instances will require updates at the application or environment level before the plugin can be upgraded.
For cases where the patch could not be applied for the reasons mentioned above, we will be reaching out to the affected clients directly with additional details and recommended next steps.
Recommended Action
Clients with sites running W3 Total Cache version 2.9.1 or earlier are strongly advised to update to the patched version 2.9.2 as soon as possible.
Where the plugin update is not currently possible due to WordPress or PHP version constraints, we recommend upgrading WordPress and/or PHP first, and then completing the update to W3 Total Cache version 2.9.2 or later at the earliest opportunity.
If you require assistance with upgrading your environment or applying the update, please contact our support team, who will be happy to assist.
We will continue to monitor this matter and will provide further updates here should any additional actions be required.
Our team has now applied patches to all instances of the W3 Total Cache plugin across our managed systems where the update was possible based on the current WordPress and PHP version requirements.
In some environments, the patch could not be applied as the underlying WordPress or PHP versions do not meet the minimum compatibility requirements for the updated plugin, or due to other configuration limitations. These instances will require updates at the application or environment level before the plugin can be upgraded.
For cases where the patch could not be applied for the reasons mentioned above, we will be reaching out to the affected clients directly with additional details and recommended next steps.
Recommended Action
Clients with sites running W3 Total Cache version 2.9.1 or earlier are strongly advised to update to the patched version 2.9.2 as soon as possible.
Where the plugin update is not currently possible due to WordPress or PHP version constraints, we recommend upgrading WordPress and/or PHP first, and then completing the update to W3 Total Cache version 2.9.2 or later at the earliest opportunity.
If you require assistance with upgrading your environment or applying the update, please contact our support team, who will be happy to assist.
We will continue to monitor this matter and will provide further updates here should any additional actions be required.
Identified
We have been made aware of a critical vulnerability, CVE-2026-27384, affecting versions equal to or less than 2.9.1, of the WordPress W3 Total Cache plugin.
Recommended Action
We strongly encourage all clients to update any sites running versions 2.9.1 or older to the patched version 2.9.2 immediately.
Current Status
Exploit Availability: There are currently no known public Proof of Concept (PoC) exploits for this vulnerability.
Our team is currently applying patches to instances of outdated W3TC plugins that we were able to identify on our managed systems. You may receive server login notifications from internal IPs as we patch detected W3TC installations.
We will provide further updates as they become available. If you have any questions or require assistance with the update, please reach out to our support team.
Recommended Action
We strongly encourage all clients to update any sites running versions 2.9.1 or older to the patched version 2.9.2 immediately.
Current Status
Exploit Availability: There are currently no known public Proof of Concept (PoC) exploits for this vulnerability.
Our team is currently applying patches to instances of outdated W3TC plugins that we were able to identify on our managed systems. You may receive server login notifications from internal IPs as we patch detected W3TC installations.
We will provide further updates as they become available. If you have any questions or require assistance with the update, please reach out to our support team.
Investigating
We have been made aware of a critical vulnerability, CVE-2026-27384, affecting versions equal to or less than 2.9.1, of the WordPress W3 Total Cache plugin.
Recommended Action
We strongly encourage all clients to update any sites running versions 2.9.1 or older to the patched version 2.9.2 immediately.
Current Status
Exploit Availability: There are currently no known public Proof of Concept (PoC) exploits for this vulnerability.
Our team is assessing the impact on our managed sites and evaluating the deployment of necessary patches across our managed systems.
We will provide further updates as they become available. If you have any questions or require assistance with the update, please reach out to our support team.
Recommended Action
We strongly encourage all clients to update any sites running versions 2.9.1 or older to the patched version 2.9.2 immediately.
Current Status
Exploit Availability: There are currently no known public Proof of Concept (PoC) exploits for this vulnerability.
Our team is assessing the impact on our managed sites and evaluating the deployment of necessary patches across our managed systems.
We will provide further updates as they become available. If you have any questions or require assistance with the update, please reach out to our support team.
This incident affects: Cloud Dedicated and Cloud VPS Hosting.