Critical W3 Total Cache Flaw (CVE-2025-9501, CVSS 9.0) Risks Unauthenticated RCE on 1 Million WordPress Sites

A newly disclosed high-severity security flaw in the widely used W3 Total Cache (W3TC) plugin is putting more than 1 million WordPress websites at risk. Tracked as CVE-2025-9501, the vulnerability carries a CVSS score of 9.0 and allows unauthenticated command injection, making it one of the most severe issues ever identified in the performance-optimization plugin.

W3 Total Cache is a cornerstone of WordPress performance tooling, known for boosting SEO, Core Web Vitals, and reducing load times through advanced caching and CDN integration. But the same functionality that improves speed has now opened the door to a serious exploitation path.

According to the advisory, versions below 2.8.13 are vulnerable due to improper handling within the plugin’s internal _parse_dynamic_mfunc function. This flaw enables remote, unauthenticated attackers to trigger arbitrary PHP execution simply by submitting a specially crafted comment containing a malicious payload.

A threat actor could leave a comment on any public post, and if the payload is parsed, the website will execute attacker-supplied PHP commands — potentially granting full site takeover, data theft, or installation of backdoors and malware.

The attack requires no login, no privileges, and no CAPTCHA bypass, making it trivially exploitable on unprotected sites.

The vulnerability is fully patched in W3 Total Cache version 2.8.13, and all site owners are urged to update immediately.

In an effort to protect site administrators and slow down weaponization, the researchers announced that: “The PoC will be displayed on November 24, 2025, to give users the time to update.”

With more than a million active installs, even a small percentage of unpatched websites could create a large attack surface for automated exploitation.

Related Posts:

• CVE-2024-12365: Popular WordPress Caching Plugin Exposes Millions of Sites to Attack
• Tax Extension Malware Campaign Exploits Trusted GitHub Repositories to Deliver Remcos RAT
• Critical Vulnerabilities in Bitdefender Total Security Expose Users to Man-in-the-Middle Attacks

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy