A proof-of-concept exploit has been publicly released for CVE-2025-9501, a critical, unauthenticated command-injection vulnerability affecting W3 Total Cache, one of WordPress’s most widely deployed caching plugins.
With over 1 million active installations, the vulnerability poses a significant risk to countless websites worldwide.
RCE Security discovers that the flaw exists in W3 Total Cache’s dynamic content parsing functionality, specifically in the _parse_dynamic_mfunc function within the PgCache_ContentGrabber class.
The vulnerable code uses PHP’s eval() function to execute code derived from cached page content, creating a direct code injection vector.
Unauthenticated Command Injection Discovered
RCESecurity researchers analyzed WPScan’s initial advisory and developed a working exploit to validate the vulnerability’s severity.
The vulnerability requires specific conditions to be exploitable. Attackers must know the W3TC_DYNAMIC_SECURITY constant value defined in the site’s wp-config.php file.
Additionally, page caching must be enabled (core functionality but disabled by default), and website comments must be permitted for unauthenticated users.
If these conditions align, attackers can inject arbitrary PHP code through specially crafted HTML comments in cached pages, achieving complete remote code execution.
| Property | Value |
|---|---|
| CVE ID | CVE-2025-9501 |
| Vulnerability Type | Unauthenticated Command Injection / Remote Code Execution |
| Affected Plugin | W3 Total Cache |
| Affected Versions | Versions with vulnerable code in PgCache_ContentGrabber class |
| Attack Vector | Cached page content with malicious mfunc comments |
| Impact | Remote Code Execution, Complete Server Compromise |
| Status | Exploit PoC Released |
When the page cache processes a request, it invokes the vulnerable _parse_dynamic function, which searches cached content for specially formatted mfunc comment tags.
If an attacker knows the W3TC_DYNAMIC_SECURITY value, they can inject malicious PHP code within these tags. The code then executes directly on the server, granting attackers shell-level access.
A simple injection like echo passthru($_GET[1337]) enables command execution.
While technically straightforward to exploit once preconditions are met, the vulnerability’s real-world impact depends on WordPress administrator practices.
Sites using the W3TC_DYNAMIC_SECURITY feature with default values or weak secrets face heightened risk.
The combination of widespread plugin adoption and the ability to execute arbitrary code positions this as a critical threat.
RCESecurity recommends that Website administrators using W3 Total Cache immediately review their security configurations, turn off the feature if unused, or apply available patches.
The vulnerability underscores the importance of secure coding practices, particularly avoiding dynamic code evaluation functions like eval() in security-sensitive contexts.
Website owners should immediately review W3 Total Cache configurations, update to patched versions when available, and consider disabling dynamic content caching if it is not actively used.
Organizations running penetration tests should incorporate this vulnerability into their assessment protocols to identify exposed instances within their infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
