CVE-2026-27384

Critical

Published: 05 March 2026

Published

05 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0008 23.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27384 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the improper validation of specified quantity in input (CWE-1284) by requiring comprehensive input validation at system interfaces, preventing the ACL bypass exploitation.

AC-3 Access Enforcement good match

prevent

Enforces approved access control policies to constrain functionality properly, blocking unauthorized access that the CVE exploits via ACL bypass.

SI-2 Flaw Remediation good match

preventrecover

Identifies, reports, and corrects the specific flaw in W3 Total Cache versions through 2.9.1, remediating the arbitrary code execution vulnerability via timely patching.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote arbitrary code execution in a public-facing WordPress plugin directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Validation of Specified Quantity in Input vulnerability in BoldGrid W3 Total Cache w3-total-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects W3 Total Cache: from n/a through <= 2.9.1.

Deeper analysisAI

CVE-2026-27384 is an Improper Validation of Specified Quantity in Input vulnerability (CWE-1284) in the BoldGrid W3 Total Cache WordPress plugin (w3-total-cache). The flaw enables accessing functionality not properly constrained by ACLs and affects all versions from n/a through 2.9.1. It carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact across confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Successful exploitation allows attackers to achieve high-impact effects, including arbitrary code execution on affected WordPress sites running vulnerable versions of the plugin.

The Patchstack advisory documents this as an arbitrary code execution vulnerability specifically in W3 Total Cache version 2.9.1 and provides details relevant to mitigation for WordPress plugin users.

Details

CWE(s): CWE-1284

CVEs Like This One

CVE-2025-55398Shared CWE-1284

CVE-2026-3381Shared CWE-1284

CVE-2026-1092Shared CWE-1284

CVE-2025-14513Shared CWE-1284

CVE-2026-30573Shared CWE-1284

CVE-2026-25345Shared CWE-1284

CVE-2021-47827Shared CWE-1284

CVE-2023-54337Shared CWE-1284

CVE-2026-40093Shared CWE-1284

CVE-2024-30516Shared CWE-1284

References

https://patchstack.com/database/Wordpress/Plugin/w3-total-cache/vulnerability/wordpress-w3-total-cache-plugin-2-9-1-arbitrary-code-execution-vulnerability?_s_id=cve
audit@patchstack.com