Update - We have identified that some customer accounts are still using a vulnerable version of the W3 Total Cache plugin (versions below 2.8.13).
We have reached out directly to the impacted accounts via support cases to inform them of the issue and the potential impact of this vulnerability.
We strongly recommend updating the plugin to the latest available version as soon as possible.
If you need any assistance with this update, please reach out to our support team; we’re happy to help with applying the patch.
Dec 02, 2025 - 14:13 CST
We have reached out directly to the impacted accounts via support cases to inform them of the issue and the potential impact of this vulnerability.
We strongly recommend updating the plugin to the latest available version as soon as possible.
If you need any assistance with this update, please reach out to our support team; we’re happy to help with applying the patch.
Dec 02, 2025 - 14:13 CST
Identified - A critical vulnerability has been disclosed in the W3 Total Cache WordPress plugin affecting versions below 2.8.13. This issue (CVE-2025-9501) is a command injection vulnerability that can be exploited without authentication via the _parse_dynamic_mfunc function by submitting a specially crafted comment, potentially allowing remote code execution on affected sites.
More information can be found here:
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/
The vulnerability is rated CVSS 9.0 (Critical), and a fixed version is available in W3 Total Cache 2.8.13 and later.
We strongly suggest that all clients using the W3 Total Cache plugin with WordPress immediately update that plugin to the latest version.
IMPORTANT: The public proof of concept (PoC) has been released with information on how the vulnerability can be exploited, which may increase the likelihood of compromise attempts.
Nov 24, 2025 - 15:49 CST
More information can be found here:
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/
The vulnerability is rated CVSS 9.0 (Critical), and a fixed version is available in W3 Total Cache 2.8.13 and later.
We strongly suggest that all clients using the W3 Total Cache plugin with WordPress immediately update that plugin to the latest version.
IMPORTANT: The public proof of concept (PoC) has been released with information on how the vulnerability can be exploited, which may increase the likelihood of compromise attempts.
Nov 24, 2025 - 15:49 CST
PHP Services
Operational
LAN
Operational
PHX
Operational
IIS Services
Operational
LAN
Operational
PHX
Operational
MariaDB
Operational
LAN
Operational
PHX
Operational
MSSQL
Operational
LAN
Operational
PHX
Operational
FTP
Operational
LAN
Operational
PHX
Operational
Management Portal
Operational
Management Portal
Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance