Command Injection Vulnerability in W3 Total Cache WordPress Plugin
CVE-2025-9501

9CRITICAL

Key Information:

Vendor

WordPress
Status
W3 Total Cache
Vendor
CVE Published:
17 November 2025

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 2,400πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-9501?

CVE-2025-9501 represents a command injection vulnerability affecting the W3 Total Cache plugin for WordPress, specifically versions prior to 2.8.13. This widely-used plugin is designed to enhance the performance and speed of WordPress sites by leveraging caching mechanisms. The vulnerability allows unauthenticated users to exploit the plugin's functionality through the _parse_dynamic_mfunc function. By submitting a crafted comment containing a malicious payload to a post, attackers can execute arbitrary PHP commands on the server, leading to potentially severe consequences for the affected WordPress installations. Such an exploit could enable attackers to manipulate the server environment, install malware, or gain unauthorized access to sensitive information, ultimately impacting organizational integrity and trust.

Potential impact of CVE-2025-9501

  1. Unauthorized Remote Code Execution: The vulnerability enables attackers to execute arbitrary PHP commands, allowing them to take control of the server. This unauthorized access can lead to significant malware infections or data breaches.

  2. Data Breaches and Loss: Exploitation of this vulnerability can result in the exposure of sensitive client data or organizational information stored on the compromised WordPress site, which can have legal and reputational repercussions.

  3. Website Compromise and Downtime: A successful attack might result in website defacement or the installation of backdoors, leading to prolonged downtime. This interruption can harm business operations, erode customer trust, and lead to financial losses.

Affected Version(s)

W3 Total Cache 0 < 2.8.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-9501 - Proof of Concept

News Articles

favicon imageCyberSecurityNews

PoC released for W3 Total Cache Vulnerability that Exposes 1+ Million Websites to RCE Attacks

A proof-of-concept exploit released for unauthenticated command-injection flaw, affecting W3 Total Cache, puts many websites at high risk.

2 weeks ago

favicon imageCyber Press

PoC Released for W3 Total Cache RCE Vulnerability Exposing 1+ Million Websites

The vulnerability stems from an unauthenticated command injection flaw in W3 Total Cache's page-caching mechanism.

2 weeks ago

favicon imageGBHackers News

PoC Published for W3 Total Cache Flaw Exposing 1M+ Sites to RCE

A PoC exploit for a critical remote code execution vulnerability in W3 Total Cache, one of WordPress's most popular caching plugins.

2 weeks ago

References

https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-...
exploitvdb-entrytechnical-description

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ’°

    Used in Ransomware

  • πŸ“°

    First article discovered by The Cyber Express

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

wcraft
WPScan
JSON
.
CVE-2025-9501 : Command Injection Vulnerability in W3 Total Cache WordPress Plugin