Ethical Hacking News
A critical flaw has been discovered in the W3 Total Cache WordPress plugin, which could allow an attacker to execute arbitrary PHP commands and potentially take control of a vulnerable WordPress website. While a patch is available, hundreds of thousands of websites may still be at risk due to slow adoption rates.
A critical flaw has been discovered in the W3 Total Cache WordPress plugin (CVE-2025-9501) that allows malicious PHP commands through comments. The vulnerability affects all versions prior to version 2.8.13 and may still affect hundreds of thousands of websites due to high download numbers. Attackers can execute arbitrary PHP commands without authentication or user credentials, potentially leading to full control of vulnerable WordPress sites. PoC exploit for CVE-2025-9501 will be published on November 24, prompting website administrators to upgrade or patch their plugin promptly. Alternative measures, such as deactivating the W3TC plugin or preventing comments from delivering malicious payloads, can be taken until updates are available.
A critical flaw has been discovered in the W3 Total Cache (W3TC) WordPress plugin, which is used by over one million websites to increase performance and reduce load times. The vulnerability, tracked as CVE-2025-9501, allows an attacker to inject malicious PHP commands through a comment on a post, potentially leading to command injection and remote code execution.
This vulnerability affects all versions of W3TC prior to version 2.8.13, which was released on October 20, 2025, with a patch that addresses the security issue. However, based on data from WordPress.org, hundreds of thousands of websites may still be vulnerable, as there have been around 430,000 downloads since the patch became available.
The vulnerability is described as an unauthenticated command injection, which means that an attacker can execute arbitrary PHP commands without needing to authenticate or obtain user credentials. This could potentially allow an attacker to take full control of a vulnerable WordPress website by running any command on the server without restriction.
WPScan researchers have developed a proof-of-concept exploit (PoC) for CVE-2025-9501 and plan to publish it on November 24, giving users sufficient time to install the updates. Typically, malicious exploitation of flaws begins almost immediately following the publication of an exploit code, so it is essential that website administrators take prompt action to upgrade or patch their W3TC plugin.
In the meantime, website administrators who cannot upgrade by the deadline should consider deactivating the W3 Total Cache plugin or taking additional measures to prevent comments from being used to deliver malicious payloads. The recommended action is still to upgrade to version 2.8.13 of the W3TC plugin as soon as possible.
This vulnerability highlights the importance of regularly updating and patching third-party plugins on WordPress websites, particularly those that handle sensitive data or provide administrative access. By staying informed about security vulnerabilities like this one, website owners can take proactive steps to protect their sites from potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-W3-Total-Cache-Vulnerability-A-Critical-Flaw-in-WordPress-Plugins-ehn.shtml
https://www.bleepingcomputer.com/news/security/w3-total-cache-wordpress-plugin-vulnerable-to-php-command-injection/
https://nvd.nist.gov/vuln/detail/CVE-2025-9501
https://www.cvedetails.com/cve/CVE-2025-9501/
Published: Wed Nov 19 13:05:51 2025 by llama3.2 3B Q4_K_M
