W3 Total Cache WordPress Plugin Command Injection Vulnerability

First reported

19.11.2025 19:34

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical unauthenticated command injection vulnerability (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP commands on the server by posting a malicious comment. The flaw affects versions prior to 2.8.13 and is actively being exploited. The developer released a patch on October 20, but hundreds of thousands of websites remain vulnerable. A proof-of-concept exploit is scheduled for public release on November 24.

Timeline

19.11.2025 19:34 1 articles · 23h ago

W3 Total Cache Plugin Vulnerability Exploit Scheduled for Public Release
A proof-of-concept exploit for the W3 Total Cache WordPress plugin vulnerability (CVE-2025-9501) is scheduled for release on November 24. This could lead to increased exploitation attempts, as attackers typically target vulnerable websites immediately after exploit code is published.
Show sources

W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
Open in new tab

Information Snippets

The vulnerability (CVE-2025-9501) is an unauthenticated command injection flaw in the W3 Total Cache WordPress plugin.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
The flaw affects all versions of the plugin prior to 2.8.13.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
The vulnerability can be exploited by posting a comment containing a malicious payload.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
The _parse_dynamic_mfunc() function is responsible for processing dynamic function calls embedded in cached content, which can be exploited to inject commands.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
Successful exploitation can lead to full control of the vulnerable WordPress website.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
The developer released version 2.8.13 on October 20 to address the issue.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
Around 430,000 websites may still be vulnerable as of the publication date.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
A proof-of-concept exploit is scheduled for release on November 24.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
Website administrators are advised to upgrade to version 2.8.13 or deactivate the plugin if upgrading is not possible.
First reported: 19.11.2025 19:34

1 source, 1 article
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34

Summary

Timeline

W3 Total Cache Plugin Vulnerability Exploit Scheduled for Public Release

Information Snippets