A critical flaw in the W3 Total Cache WordPress plugin allows an attacker to run PHP commands on a server by posting a comment that contains a malicious payload, security researchers say. The issue, tracked as CVE-2025-9501, affects all versions of W3 Total Cache prior to 2.8.13 and is described as an unauthenticated command injection.
WordPress security company WPScan said the flaw can be triggered through the __parse_dynamic_mfunc() function that processes dynamic function calls embedded in cached content, allowing unauthenticated users to inject PHP commands via a comment payload.
W3 Total Cache is installed on more than one million websites, and the developer released version 2.8.13 on October 20 to address the issue. Based on download figures from WordPress.org, there have been around 430,000 downloads of the update since it became available, suggesting hundreds of thousands of sites may remain vulnerable.
WPScan researchers said they developed a proof-of-concept exploit and planned to publish it on November 24 to give administrators time to install updates. The company warned that successful exploitation could allow an attacker to run any command on the server and take full control of a vulnerable site.
Site operators who cannot upgrade immediately are advised to deactivate the W3 Total Cache plugin or otherwise ensure that comments cannot be used to deliver payloads that would trigger the vulnerability, the researcher guidance said.
Related security resources were linked alongside the advisory, including materials from Wiz and a Secrets Security Cheat Sheet offered by the same vendor.
The report did not state whether the vulnerability has been observed exploited in the wild.