Command Injection Vulnerability in W3 Total Cache WordPress Plugin
CVE-2025-9501
Currently unrated
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 17 November 2025
Badges
👾 Exploit Exists🟡 Public PoC
What is CVE-2025-9501?
The W3 Total Cache plugin for WordPress versions prior to 2.8.13 contains a command injection vulnerability due to improper handling of user inputs in the _parse_dynamic_mfunc function. This flaw allows unauthenticated users to inject malicious payloads through comments, enabling them to execute arbitrary PHP commands on the server. Website owners utilizing affected versions should take immediate action to update the plugin to mitigate any potential exploitation.
Affected Version(s)
W3 Total Cache 0 < 2.8.13
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.