A critical security flaw has been identified in the popular W3 Total Cache (W3TC) WordPress plugin, which could allow unauthenticated attackers to execute arbitrary PHP commands on vulnerable websites.
The vulnerability, tracked as CVE-2025-9501, is described as an unauthenticated command injection issue that stems from the parse_dynamic_mfunc() function, which is responsible for processing dynamic function calls embedded in cached content. By submitting a malicious comment with a payload, an attacker can trigger this vulnerability and gain full control of the compromised WordPress website.
With the W3TC plugin installed on over one million websites to enhance performance and reduce load times, the potential impact of this vulnerability is significant. While the plugin’s developer has released version 2.8.13 to address the issue, data from WordPress.org indicates that hundreds of thousands of websites may still be vulnerable, as there have been around 430,000 downloads since the patch became available.
Security researchers have developed a proof-of-concept exploit for CVE-2025-9501 and plan to release it publicly on November 24, which could prompt a surge of malicious attempts to compromise unpatched websites. Website administrators are urged to upgrade to the latest version of the W3TC plugin or consider deactivating it entirely if an immediate update is not possible, in order to mitigate the risk of this critical vulnerability being exploited.