We have identified that some customer accounts are still using a vulnerable version of the W3 Total Cache plugin (versions below 2.8.13).
We have reached out directly to the impacted accounts via support cases to inform them of the issue and the potential impact of this vulnerability.
We strongly recommend updating the plugin to the latest available version as soon as possible.
If you need any assistance with this update, please reach out to our support team; we’re happy to help with applying the patch.
Posted Dec 02, 2025 - 14:13 CST
Identified
A critical vulnerability has been disclosed in the W3 Total Cache WordPress plugin affecting versions below 2.8.13. This issue (CVE-2025-9501) is a command injection vulnerability that can be exploited without authentication via the _parse_dynamic_mfunc function by submitting a specially crafted comment, potentially allowing remote code execution on affected sites.
The vulnerability is rated CVSS 9.0 (Critical), and a fixed version is available in W3 Total Cache 2.8.13 and later. We strongly suggest that all clients using the W3 Total Cache plugin with WordPress immediately update that plugin to the latest version.
IMPORTANT: The public proof of concept (PoC) has been released with information on how the vulnerability can be exploited, which may increase the likelihood of compromise attempts.