CVE-2026-57623
BoldGrid · W3 Total Cache
An unauthenticated arbitrary code execution vulnerability exists in BoldGrid W3 Total Cache versions 2.9.4 and earlier, allowing remote attackers to execute commands on the server.
Executive summary
An unauthenticated arbitrary code execution vulnerability in BoldGrid W3 Total Cache exposes the host server to immediate risk of full system compromise by remote attackers.
Vulnerability
This is an unauthenticated arbitrary code execution vulnerability, allowing an attacker to execute commands on the host server without needing any valid user credentials. The flaw resides in the handling of cache processing, which fails to properly sanitize input before execution.
Business impact
With a CVSS score of 9.0, this vulnerability allows for complete server takeover, leading to potential data theft, malware distribution, or the use of the server in further attacks. The business impact is severe, as it provides a direct path for attackers to gain persistence and full control over the web environment.
Remediation
Immediate Action: Update BoldGrid W3 Total Cache to the latest version immediately to remediate the unauthenticated code execution path.
Proactive Monitoring: Monitor server logs for suspicious process spawning, unauthorized file modifications, or unusual outbound network traffic from the web server.
Compensating Controls: Utilize a Web Application Firewall (WAF) to block malicious payloads that attempt to exploit remote code execution vulnerabilities in caching mechanisms.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability represents one of the most critical security risks possible: remote, unauthenticated code execution. All administrators using W3 Total Cache must prioritize patching to the latest version immediately to prevent unauthorized access and potential system-wide compromise.