CVE-2025-9501

CVSS v3.1

9.0

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions W3 Total Cache versions prior to 2.8.13

Description The W3 Total Cache WordPress plugin is affected by a command injection issue through the

 parse dynamic mfunc

function. This allows unauthenticated users to execute arbitrary PHP commands by submitting a comment containing a malicious payload to a post. It is estimated that over one million WordPress sites are potentially impacted. Exploitation involves submitting a crafted comment, which allows attackers to inject and execute PHP code, potentially leading to full site takeover. The

 parse dynamic mfunc

function is responsible for processing calls to dynamic functions embedded in cached content. The vulnerability allows attackers to bypass authentication and execute commands on the server. A proof-of-concept exploit has been published.

Recommendations Update to W3 Total Cache version 2.8.13 or later.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2025-15444

CVE-2025-9501

Affected Products

W3 Total Cache

CVE-2025-9501

Weakness Enumeration

Related Identifiers

Affected Products

References · 49