Critical Vulnerability Found in W3 Total Cache WordPress Plugin
▼ Summary
– A critical flaw in the W3 Total Cache WordPress plugin (CVE-2025-9501) allows unauthenticated attackers to execute PHP commands via malicious comments.
– This vulnerability affects all W3TC plugin versions before 2.8.13 and could enable full control of vulnerable WordPress websites.
– The developer released a patched version (2.8.13) on October 20, but hundreds of thousands of sites remain at risk due to incomplete updates.
– WPScan plans to publish a proof-of-concept exploit on November 24, after which widespread malicious exploitation is expected.
– Website administrators must upgrade to version 2.8.13 immediately or disable the plugin to prevent potential attacks.
A significant security flaw has been identified within the widely used W3 Total Cache WordPress plugin, posing a serious risk to website integrity. This vulnerability, officially designated as CVE-2025-9501, enables attackers to execute arbitrary PHP commands on the server simply by submitting a specially crafted comment. The issue impacts every version of the plugin released before 2.8.13 and is classified as an unauthenticated command injection, meaning no login or privileges are required to carry out an attack.
W3 Total Cache is a popular performance optimization tool installed on over one million WordPress sites to speed up page loading and improve user experience. The plugin’s developer addressed the security hole with the release of version 2.8.13 on October 20. Despite this fix, data from WordPress.org indicates that a large number of websites remain exposed. Approximately 430,000 downloads have occurred since the patched version was made available, suggesting many site owners have not yet applied the critical update.
According to analysis by WordPress security firm WPScan, the vulnerability resides in the `parsedynamic_mfunc()` function. This function handles dynamic function calls within cached content. An attacker can exploit this by posting a comment containing malicious code, which the function processes, leading to unauthorized PHP command execution. Successfully leveraging this flaw grants an attacker complete control over the affected WordPress installation, allowing them to run any server command without authentication.
WPScan has already created a proof-of-concept exploit for CVE-2025-9501. To encourage prompt patching, the company plans to publicly release this exploit code on November 24. Historically, the publication of such proof-of-concept tools triggers a wave of malicious activity, as threat actors quickly scan for and target unpatched systems.
Website administrators are urged to update the W3 Total Cache plugin to version 2.8.13 immediately. For those unable to upgrade by the November 24 deadline, temporarily deactivating the plugin is a recommended precaution. Alternatively, implementing measures to block comments from being used to deliver malicious payloads can help mitigate risk until a proper update can be performed. Taking swift action is essential to protect your site from potential compromise.
(Source: Bleeping Computer)