If your website runs this plugin, it could be the thing attacking your staff
Think about who visits your company website in a normal week. Customers and the public in volume, and also your own staff, several times a day, from their work laptops while signed into email, the CRM, and the bank in other tabs. Now imagine that website is quietly serving every one of them something malicious, because someone else is in control of it. That is the scenario behind a flaw disclosed this week, and it flips the usual worry on its head. The danger is not your site going down. It is your site staying up and being turned against the people who trust it.
The flaw is in W3 Total Cache, a plugin that speeds up WordPress websites and is installed on more than 900,000 of them. Tracked as CVE-2026-57623 and rated 9.0 out of 10, it lets an attacker run their own code on the web server with no password and no login required. It is not a one-click attack: the flaw is rated high complexity, which means an attacker needs certain conditions on your site to line up before it works, so it is serious rather than trivially easy to fire off. But given how common this plugin is, a lot of ordinary business websites are exposed without their owners knowing it is even installed, and a critical flaw that needs no login is not one to sit on.
Why a hacked website is a weapon, not just an outage
Most owner-managers picture a website attack as defacement or downtime: the site goes offline, or someone scrawls graffiti on the homepage. Annoying, visible, survivable. This is worse and quieter, because it leaves the site looking completely normal.
When an attacker can run code on the server, they control what the site sends back to every visitor. They can slip in a hidden script that attacks the visitor's browser, a fake login box that harvests passwords, or a booby-trapped download. The site looks exactly as it always did. Nobody notices. And the most valuable visitors to attack are the people who trust the site most, which means your own colleagues and your customers.
It is worth holding both halves of this in your head at once: a bad web page can compromise the browser that visits it, and your own website can become that bad page. A compromised site does not just embarrass you. It quietly turns your most trusted digital front door into a way to reach everyone who walks through it.
The uncomfortable part: you may not know it is there
Here is what makes website plugins different from the software on your desktop. You chose Chrome. You probably did not choose W3 Total Cache. Whoever built or maintains your WordPress site installed it, sensibly, to make the site faster, and then everyone forgot about it. It sits there doing its job, updating quietly or not at all, and it never crosses the mind of the person who actually runs the business.
That is the real exposure, and it is bigger than this one plugin. A website is software you stopped looking at, and every plugin on it is an attack surface you are not watching. The plugin is the news. The blind spot is the story.
Worth a second look at this one, in fairness to it
There is a specific point to make about W3 Total Cache, and it needs saying carefully. This is not the first critical unauthenticated flaw of this kind the plugin has shipped. There has been a run of them over the past year, and an earlier one already has public exploit code circulating. If your site depends on it, that pattern is a fair reason to ask whether you still need it, or whether a simpler caching setup, or one built into your hosting, would do the same job with less to go wrong.
That is not a swipe at the people who build it. Caching is genuinely hard, dangerous work. A caching plugin has to step in early, before WordPress has fully loaded, and handle raw incoming requests and stored content to make a site fast. That is exactly the kind of code where small mistakes turn into serious flaws, and it is a plugin doing a demanding job on a huge number of sites. The point is not that the plugin is bad. It is that a component doing high-risk work on your behalf earns extra scrutiny: keep it only if you need it, and keep it patched without fail if you do.
What to do this week
- Update W3 Total Cache to version 2.10.0 or later, today. If your site runs WordPress, either check the plugins list yourself or ask whoever manages it to confirm the version. Version 2.10.0 fixes this flaw, and its changelog shows it fixes a whole batch of other security issues at the same time, so there is no reason to sit on an older one.
- Find out who actually looks after your website, and whether anyone updates it. For a lot of SMEs the honest answer is "the person who built it, three years ago, who we no longer speak to." If that is you, that gap is the thing to close, not just this one plugin.
- Get a list of every plugin on your site, and turn on automatic updates where you can. You cannot patch what you cannot see. A five-minute inventory of what is installed is worth more than any single fix.
- Treat your website as part of your attack surface, not just marketing. It runs on a server, it holds forms and sometimes customer data, and when it is compromised it can reach the browsers of everyone who visits. It deserves the same patching discipline as the laptops in the office.
How Steelwise can help
Finding out what your website actually runs, who maintains it, and whether it is quietly out of date is exactly the kind of review we do with clients, before it becomes an incident rather than after. Get in touch.
Further reading
- CVE-2026-57623 on StackFlag (a free tool we built to track exactly this kind of thing)
- W3 Total Cache on WordPress.org (check your version and update)
- NCSC: keeping your software up to date
- NCSC: protecting your website from compromise
Correction
2 July 2026, 17:04 BST. An earlier version of this filing described the flaw as "about as bad as a web vulnerability gets" without noting its attack complexity. Patchstack, which assigned the CVE, rates it high complexity (CVSS vector AV:N/AC:H/PR:N/UI:N), meaning exploitation needs specific conditions on the target site to line up first. It still requires no login, and it is still worth patching without delay, but it is not a trivial one-click attack. We have updated the text above to reflect that.
← All filings