EXECUTIVE SUMMARY:
The W3 Total Cache WordPress plugin (versions before 2.8.13) contains a critical command injection flaw CVE-2025-9501 with a CVSS score of 9.0. Attackers can exploit this via the plugin’s _parse_dynamic_mfunc function, which is used internally to process dynamic code. Because of insufficient input sanitization, an unauthenticated user can send a specially crafted comment containing a malicious payload. When the payload is parsed, it allows remote execution of arbitrary PHP commands. This, in turn, could lead to full site takeover, data theft, or installation of backdoors. Since the attacker does not need any prior authentication, the risk is especially high for publicly writable comment sections. Given that W3 Total Cache is installed on over a million WordPress sites, the impact could be widespread if exploited.
RECOMMENDATION:
We strongly recommend you update W3 Total Cache to version 2.8.13.
REFERENCES:
The following reports contain further technical details: