CVE-2025-9501
Published: 17 November 2025
Description
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the command injection flaw in the W3 Total Cache plugin's _parse_dynamic_mfunc function by requiring timely patching to version 2.8.13 or later.
Enforces validation and sanitization of unauthenticated user inputs like comments to block malicious payloads that trigger PHP command execution.
Enables vulnerability scanning to identify the command injection issue in vulnerable W3 Total Cache versions for prioritized remediation.
Security SummaryAI
CVE-2025-9501 is a command injection vulnerability affecting the W3 Total Cache WordPress plugin in versions prior to 2.8.13. The flaw exists in the _parse_dynamic_mfunc function, which does not adequately sanitize user inputs, enabling malicious code execution.
Unauthenticated attackers can exploit this vulnerability over the network by submitting a comment containing a malicious payload to any WordPress post. Successful exploitation allows arbitrary PHP command execution on the server, with a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting high complexity requirements but severe impacts including full compromise of confidentiality, integrity, and availability across a changed scope.
The WPScan advisory at https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/ details the issue and recommends updating to W3 Total Cache version 2.8.13 or later as the primary mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in a public-facing WordPress plugin, allowing unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.