Vulnerable W3 Total Cache plugin version in use on
Discovered by francescocar on Nextcloud

This issue took 3 Days and 4 hours to triage and 21 Days and 2 hours to resolve once triaged.

Hi there,

I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable:

W3 Total Cache makes the site vulnerable to a series of attacks, including XSS, CSRF and SSRF.

Some references:


Update the plugin to the last version (or manually patch the vulnerabilities).

On a separate note, I saw this domain is not eligible for bounty :) But wanted to bring this to your attention the same, being WordPress a common target.

Furthermore, this specific vulnerability could lead to a full website defacement:

Best Regards, Francesco


Being the vulnerabilities easy to detect with an external scan, hackers could take advantage of, and use the website to run various malicious activities.