A new security issue has been found in the W3 Total Cache plugin, one of the most popular caching plugins used on WordPress websites. The flaw makes it possible for an attacker to run PHP commands on the server just by posting a comment with malicious code. This issue is tracked as CVE-2025-9501.
W3 Total Cache is installed on more than one million websites, so the impact is huge. The bug affects all plugin versions released before 2.8.13. The developer pushed an update on October 20, but many websites are still running older versions. WordPress.org data shows around 430,000 downloads since the patch was released, which means a large number of sites have not updated yet.
The issue comes from a function called _parse_dynamic_mfunc(), which handles dynamic function calls inside cached content. WPScan reports that an attacker can send a crafted comment to a post, and the plugin will treat the malicious payload as executable PHP code. Because this works without authentication, anyone can try to exploit it. If successful, the attacker may gain full control of the website.
WPScan has already developed a proof-of-concept and says it will make it public on November 24. Once PoC code becomes available, attacks usually start very quickly. Hackers scan the internet for vulnerable sites and try to compromise them before site owners update their plugins.
If website owners cannot update the plugin immediately, they should disable W3 Total Cache or block comments temporarily to avoid exploitation. But the safest action is to update to version 2.8.13 as soon as possible.
How users can protect their WordPress website
Users can follow a few simple steps to stay safe:
- First, they should update the W3 Total Cache plugin to the latest version. If they are unsure, they can check the plugin page inside the WordPress dashboard.
- They should also keep WordPress core and all other plugins updated. Most security issues come from outdated software.
- They can enable a web application firewall plugin such as Wordfence or NinjaFirewall. These plugins block suspicious requests before they reach WordPress.
- They should review their comment settings and consider enabling comment moderation. This adds an extra layer of protection against malicious payloads.
- Finally, they should take regular backups. If something goes wrong, backups help restore the website quickly.
