CVE-2025-9501
W3 Total Cache < 2.8.13 - Unauthenticated Command Injection
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Unknown · W3 Total Cachepublic PoCs found — 2
githubgithub.com/InnerFireZ/CVE-2025_9501-POC★ 0cve_referencewpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →