A critical security flaw has been discovered in the widely used W3 Total Cache WordPress plugin, putting over 1 million websites at serious risk.
The vulnerability allows attackers to take complete control of affected websites without needing any login credentials.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-9501 |
| Plugin Name | W3 Total Cache |
| Affected Versions | Before 2.8.13 |
| Fixed Version | 2.8.13+ |
| Vulnerability Type | Unauthenticated Command Injection |
| CVSS Score | 9.0 |
| CVSS Severity | Critical |
The Vulnerability Explained
The W3 Total Cache plugin, installed on more than 1 million WordPress sites, contains a command injection vulnerability in versions before 2.8.13.
The flaw exists in the _parse_dynamic_mfunc function, a component of the plugin that processes website content.
Attackers can exploit this weakness by submitting malicious code hidden within a comment on any WordPress post.
Because the vulnerability doesn’t require authentication, anyone can attempt the attack without special access.
Once triggered, the injected commands execute with the same permissions as the WordPress website itself, allowing attackers to run arbitrary PHP code and potentially take over the entire site.
This vulnerability earned a critical CVSS score of 9.0, reflecting its severe nature. The attack is simple to perform, requires no user interaction, and can be launched remotely from anywhere on the internet.
Attackers could use this to steal sensitive data, install malware, deface websites, or redirect visitors to malicious sites.
The attack method is straightforward: a hacker needs to find a vulnerable WordPress site running W3 Total Cache below version 2.8.13, post a malicious comment containing PHP code, and the server will execute their commands.
This makes it particularly dangerous because the attack requires minimal technical skill.
The vulnerability was publicly disclosed on October 27, 2025, giving attackers about three weeks of visibility before this announcement.
During this window, attackers have had the opportunity to target unpatched installations. Website owners who haven’t updated their plugin are still at immediate risk.
The solution is straightforward: update the W3 Total Cache plugin to version 2.8.13 or newer immediately. This patched version contains the security fix that closes the vulnerability.
WordPress site administrators should also review their website security logs during the disclosure period to check for any suspicious comment activity or unauthorized changes.
It’s recommended to check for any malicious posts or comments that attackers may have added.
Beyond updating the plugin, website owners should consider implementing additional security measures, including regular backups, security plugins to monitor for intrusions, and limiting comment posting to registered users only.
Keeping all WordPress plugins, themes, and core files up to date is essential for maintaining a secure website.
The W3 Total Cache plugin remains popular for improving website performance. However, like all software, it requires regular updates to maintain security.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.