A plugin misconfiguration leads to possible WordPress cms hack. Cache data is stored in public accessible directory, from where a malicious attack can can retrieve password hashes and other database information. The default location where this plugin stores data is /wp-content/w3tc/dbcache/” and if directory listing is enabled, attacker can browse and download it. This patch works for all hosting environments / types where PHP is properly configured, i.e..htaccess modifications (or other web server configuration changes) are *not* necessary.
Source: https://thehackernews.com/2012/12/wordpress-plugin-w3-total-cache_26.html