A critical vulnerability in the W3 Total Cache (W3TC) WordPress plugin allows unauthenticated users to execute PHP commands on affected sites. Updating to version 2.8.13 or deactivating the plugin is essential to mitigate the risk of full website takeover. #W3TotalCache #CVE-2025-9501
Keypoints
- The vulnerability CVE-2025-9501 affects all W3 Total Cache versions prior to 2.8.13.
- Malicious actors can inject PHP commands through comments, leading to remote code execution.
- The flaw is triggered via the _parse_dynamic_mfunc() function used in cached content processing.
- Developer released a security patch on October 20, but many websites remain vulnerable.
- Site administrators should upgrade the plugin or temporarily disable it to prevent exploitation.