User-Agent trick leaks W3 Total Cache fragment security token

2 min readPublished 01 Apr 2026Updated 01 Apr 2026Source: Wordfence Intelligence

CVE-2026-5032 News WordPress Web Security

TL;DR — A crafted User-Agent: W3 Total Cache request can cause W3 Total Cache to expose mfunc/mclude fragment markers (including the W3TC_DYNAMIC_SECURITY token) in HTML source.

What happened

W3 Total Cache is a widely used WordPress performance plugin that adds caching layers (page cache, fragment caching, and related optimizations) to reduce load and improve response times.

Wordfence (CVE-2026-5032) describes an information exposure issue where W3 Total Cache bypasses its output buffering and processing pipeline when an HTTP request’s User-Agent header contains "W3 Total Cache". In that condition, Wordfence reports that raw mfunc/mclude dynamic fragment HTML comments (including the W3TC_DYNAMIC_SECURITY security token) may be rendered into the page source.

Per the advisory, this enables unauthenticated attackers to discover the value of W3TC_DYNAMIC_SECURITY by sending a crafted User-Agent header to any page that contains developer-placed dynamic fragment tags, as long as fragment caching is enabled.

This is a high-signal issue because it leaks a security token intended to gate sensitive fragment-processing behavior, and W3 Total Cache is common in real-world WordPress stacks—making token disclosure a practical exposure amplifier when combined with other app-layer weaknesses.

Who is impacted

WordPress sites running the w3-total-cache plugin with versions <= 2.9.3.
Sites where fragment caching is enabled and pages contain developer-placed dynamic fragment tags (mfunc/mclude).

Component	Affected versions (per advisory)	Patched versions (per advisory)
`w3-total-cache` (WordPress plugin)	`<= 2.9.3`	`2.9.4`

What to do now

Follow vendor remediation guidance and apply the vendor’s patched release.
- "Remediation Update to version 2.9.4, or a newer patched version"
Inventory where W3 Total Cache fragment caching is enabled and where mfunc/mclude dynamic fragments are used; treat publicly reachable pages using these fragments as the priority patch set.
If you previously set (or operationally rely on) W3TC_DYNAMIC_SECURITY as a secret value, consider rotating it after patching, since the advisory’s core impact is unauthenticated token disclosure.
Add short-term detection: look for unusual request bursts with User-Agent containing W3 Total Cache against cacheable pages, and review responses for unexpected raw fragment markers in HTML source.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.