A critical vulnerability, CVE-2025-9501, has been discovered in the popular WordPress plugin W3 Total Cache . This vulnerability allows the execution of arbitrary PHP commands on the server without authentication. To execute the attack, simply leave a comment containing the payload on the vulnerable resource.
The issue affects all plugin versions prior to 2.8.13 and is related to the _parse_dynamic_mfunc() function, which handles dynamic function calls in cached content.
According to WPScan analysts, an attacker can inject commands through this feature simply by posting a specially crafted comment on a website. Successful exploitation of the flaw gives the attacker complete control over the site , allowing them to execute any command on the server.
W3 Total Cache is one of the most popular WordPress performance optimization plugins, installed on over a million websites. The plugin developers released a patched version, 2.8.13, on October 20, 2025. However, according to WordPress.org statistics, the plugin has since been downloaded approximately 430,000 times , meaning hundreds of thousands of websites are still vulnerable to CVE-2025-9501.
WPScan researchers have developed a proof-of-concept exploit , but they plan to release it only on November 24, 2025, to give website administrators more time to update it. This is because, after publishing a proof-of-concept exploit, attackers typically launch a massive search for vulnerable targets and attack them.
Site administrators are advised to update W3 Total Cache to version 2.8.13 as soon as possible. If updating is not possible, it is recommended to disable the plugin or take measures to prevent comments from being used to deliver payloads (for example, disabling comments on the site or enabling pre-moderation).
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
