A severe security flaw in the popular W3 Total Cache (W3TC) WordPress plugin enables unauthenticated attackers to execute arbitrary PHP commands on the server. Tracked as CVE-2025-9501, this command injection vulnerability affects all versions of the plugin prior to 2.8.13. With over one million installations, the plugin is widely used to optimize website performance.
The vulnerability resides in the _parse_dynamic_mfunc() function, which processes dynamic calls within cached content. An attacker can exploit it by submitting a specially crafted comment containing a malicious payload to a post. Successful exploitation grants the attacker complete control over the website, allowing them to run any command on the underlying server without needing login credentials.
Although a patched version (2.8.13) was released on October 20, download statistics indicate that hundreds of thousands of sites remain vulnerable. Security researchers have developed a proof-of-concept exploit and plan to publish it on November 24 to encourage swift patching. Website administrators are strongly urged to upgrade immediately or consider disabling the plugin to prevent potential compromise once the exploit becomes public.
Read more...