Critical command injection flaw reported in W3 Total Cache WordPress plugin

A critical security vulnerability is reported in the W3 Total Cache WordPress plugin that exposes sites to risk of remote code execution and compromise.

The vulnerability is tracked as CVE-2025-9501 (CVSS score 9.0), caused by a command injection flaw in the _parse_dynamic_mfunc function, Attackers can exploit this flaw by submitting malicious PHP code within WordPress comments on any publicly available post or page. The vulnerability does not require authentication. Once the malicious comment is submitted, the injected commands execute with the full permissions of the WordPress application, effectively granting attackers the same level of access as the web server itself.

The flaw affects all versions of W3 Total Cache prior to 2.8.13,

There's a scheduled release of proof-of-concept exploit code for November 24, 2025. The PoC is expected to significantly increase exploitation attempts as attackers gain access to working exploit tools.

Website owners should update the plugin to version 2.8.13 or newer ASAP. Administrators should also run a security audit of their systems, reviewing security logs, file systems and database for: 

• suspicious comment activity during the period between October 27, 2025, and the patch application date,
• unauthorized file modifications or unexpected PHP files in the WordPress directory structure,
• database records for signs of data exfiltration or manipulation,
• scan for web shells or backdoors that may have been installed by attackers. 

Update - as of 24th of November, WPscan published the PoC exploit code.