A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection.
W3TC is installed on more than one million websites to increase performance and reduce load times.
The developer released version 2.8.13, which addresses the security issue, on October 20. However, based on data from WordPress.org, hundreds of thousands of websites may still be vulnerable, as there have been around 430,000 downloads since the patch became available.
WordPress security company WPScan says that an attacker can trigger CVE-2025-9501 and inject commands through the _parse_dynamic_mfunc() function responsible for processing dynamic function calls embedded in cached content.
“The [W3TC] plugin is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post,” WPScan
An attacker successfully exploiting this PHP code execution may be able to take full control of the vulnerable WordPress website, as they can run any command on the server without the need to authenticate.
WPScan researchers have developed a proof-of-concept exploit (PoC) for CVE-2025-9501 and said they would publish it on November 24 to give users sufficient time to install the updates.
Typically, malicious exploitation of flaws begins almost immediately following the publication of a PoC exploit. Typically, after an exploit code is published, attackers look for potential targets and try to compromise them.
Website administrators who cannot upgrade by the deadline should consider deactivating the W3 Total Cache plugin or take the necessary action to make sure that comments cannot be used to deliver malicious payloads that could trigger the exploit.
The recommended action is to upgrade to W3 Total Cache version 2.8.13, released on October 20.
The 2026 CISO Budget Benchmark
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.