CVE-2025-9501

Name of the Vulnerable Software and Affected Versions W3 Total Cache versions prior to 2.8.13

Description The W3 Total Cache WordPress plugin is affected by a command injection issue through the parse dynamic mfunc function. This allows unauthenticated users to execute arbitrary PHP commands by submitting a comment containing a malicious payload to a post. It is estimated that over one million WordPress sites are potentially impacted. Exploitation involves submitting a crafted comment, which allows attackers to inject and execute PHP code, potentially leading to full site takeover. The parse dynamic mfunc function is responsible for processing calls to dynamic functions embedded in cached content. The vulnerability allows attackers to bypass authentication and execute commands on the server. A proof-of-concept exploit has been published.

Recommendations Update to W3 Total Cache version 2.8.13 or later.