WPScan

A critical unauthenticated command injection in the W3 Total Cache WordPress plugin (CVE-2025-9501) can allow PHP code execution via a malicious comment. The developer issued a patch in version 2.8.13 on Oct. 20, but hundreds of thousands of sites may still be unpatched; WPScan plans to publish a proof-of-concept on Nov. 24.