November 19, 2025 By Bill Toulas
A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection.
W3TC is installed on more than one million websites to increase performance and reduce load times.
The developer released version 2.8.13, which addresses the security issue, on October 20. However, based on data from WordPress.org, hundreds of thousands of websites may still be vulnerable, as there have been around 430,000 downloads since the patch became available.
WordPress security company WPScan says that an attacker can trigger CVE-2025-9501 and inject commands through the _parse_dynamic_mfunc() function responsible for processing dynamic function calls embedded in cached content.
“The [W3TC] plugin is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post,” WPScan
An attacker successfully exploiting this PHP code execution may be able to take full control of the vulnerable WordPress website, as they can run any command on the server without the need to authenticate.
