W3 Total Cache Vulnerability: Update Mandatory

Vulnerability in WordPress Plugin W3 Total Cache Allows PHP Command Injection

A critical vulnerability, CVE-2025-9501, has been discovered in the popular WordPress plugin W3 Total Cache. This flaw allows arbitrary PHP commands to be executed on the server without authentication. To carry out an attack, an attacker need only post a comment containing a malicious payload on the vulnerable site.

Technical Details

The issue affects all versions of the plugin prior to 2.8.13 and is related to the _parse_dynamic_mfunc() function, which processes dynamic function calls in cached content. Per analysts from WPScan, an attacker can inject commands through this function simply by publishing a specially crafted comment on the website.

Successful exploitation of this vulnerability gives the attacker full control over the site, including the ability to execute any commands on the server.

Impact and Scope

W3 Total Cache is one of the most popular performance optimization plugins for WordPress, installed on over a million sites.

The plugin developers released a patched version, 2.8.13, on October 20, 2025. However, per WordPress.org statistics, the plugin has been downloaded approximately 430,000 times since then, meaning hundreds of thousands of sites remain vulnerable to CVE-2025-9501.

Proof-of-Concept Disclosure Timeline

WPScan researchers have developed a proof-of-concept exploit for this vulnerability but plan to publish it only on November 24, 2025, to give site administrators additional time to update. The rationale is that public release of a PoC typically prompts malicious actors to begin mass scanning for and attacking vulnerable targets.

Recommendations

Site administrators should update W3 Total Cache to version 2.8.13 immediately. If an update is not possible, administrators should deactivate the plugin or implement measures to prevent comments from being used to deliver payloads—for example, by disabling comments on the site or enabling comment moderation.