W3 Total Cache WordPress plugin vulnerable to PHP command injection

A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.

The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection.

W3TC is installed on more than one million websites to increase performance and reduce load times.

The developer released version 2.8.13, which addresses the security issue, on October 20. However, based on data from WordPress.org, hundreds of thousands of websites may still be vulnerable, as there have been around 430,000 downloads since the patch became available.

WordPress security company WPScan says that an attacker can trigger CVE-2025-9501 and inject commands through the _parse_dynamic_mfunc() function responsible for processing dynamic function calls embedded in cached content.

An attacker successfully exploiting this PHP code execution may be able to take full control of the vulnerable WordPress website, as they can run any command on the server without the need to authenticate.

WPScan researchers have developed a proof-of-concept exploit (PoC) for CVE-2025-9501 and said they would publish it on November 24 to give users sufficient time to install the updates.

Typically, malicious exploitation of flaws begins almost immediately following the publication of a PoC exploit. Typically, after an exploit code is published, attackers look for potential targets and try to compromise them.

Website administrators who cannot upgrade by the deadline should consider deactivating the W3 Total Cache plugin or take the necessary action to make sure that comments cannot be used to deliver malicious payloads that could trigger the exploit.

The recommended action is to upgrade to W3 Total Cache version 2.8.13, released on October 20.