- W3 Total Cache plugin flaw CVE-2025-9501 allows unauthorized PHP command injection
- Affects all versions before 2.8.13; ~327,000+ websites remain at risk
- WPScan PoC Exploitation is set for November 24, raising concerns about mass exploitation
W3 Total Cache (W3TC), a WordPress plugin with more than a million users, has a Critical Severity vulnerability that allows threat actors to fully take over compromised websites, experts have warned.
The bug is described as a command injection flaw that works by sending a comment with a malicious payload to a post. The attacker does not need to be authenticated on the site to inject PHP commands this way.
The vulnerability is now tracked as CVE-2025-9501 and with a severity rating of 9.0/10 (Critical) affects all versions of the plugin prior to 2.8.13.
Deadline November 24
To fix the bug, users should update their plugin to version 2.8.13, which was released on October 20.
Looking at the data from the WordPress.org site, it says that 67.3% of the pages are updated to version 2.8, while the remaining 32.7% are on older versions. That would put at least 327,000 websites at risk.
However, this does not mean that all 67.3% are running version 2.8.13, so the actual number of vulnerable sites is likely much higher.
In their security advisory, researchers from WPScan, a security scanner built specifically for the WordPress website builder, said they developed a Proof-of-Concept (PoC) exploit for the flaw and set a November 24 deadline to publish it. By then, they expect the majority of websites to have updated their plugins to the secured version.
In many cases, mass exploitation starts the moment a PoC is released, as many threat actors can’t be bothered to develop one themselves and will simply pick up on what’s already out there. Therefore, it is crucial for WordPress website owners and administrators to update before the deadline.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
