A serious security flaw has been identified in the W3 Total Cache (W3TC) WordPress plugin, allowing attackers to execute PHP commands on a server by submitting a comment containing malicious code.
The vulnerability, tracked as CVE-2025-9501, is classified as an unauthenticated command injection and affects all plugin versions released before 2.8.13.
W3 Total Cache is widely used, powering more than one million websites to boost performance and reduce load times. Although the developer issued a patch on October 20, a large number of sites remain exposed. WordPress.org data shows only about 430,000 downloads of the updated version, suggesting that hundreds of thousands of websites are still running vulnerable builds.
Security researchers at WPScan warn that the flaw can be exploited through the plugin’s _parse_dynamic_mfunc() function, which handles dynamic function calls within cached content. By posting a crafted comment, an attacker can inject and execute arbitrary PHP commands, potentially gaining full control of the affected website.
WPScan has developed a proof-of-concept exploit and plans to release it publicly on November 24, giving website owners time to apply the update. Once the exploit code becomes available, attempts to abuse the vulnerability are expected to escalate quickly, as attackers commonly begin scanning for targets soon after PoCs are published.
Administrators who cannot update immediately are strongly advised to disable the W3 Total Cache plugin or take measures to prevent comments from delivering malicious payloads. The recommended and most effective action is to upgrade to W3 Total Cache version 2.8.13 as soon as possible.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
