Identified - A critical vulnerability has been disclosed in the W3 Total Cache WordPress plugin affecting versions below 2.8.13. This issue (CVE-2025-9501) is a command injection vulnerability that can be exploited without authentication via the _parse_dynamic_mfunc function by submitting a specially crafted comment, potentially allowing remote code execution on affected sites.
More information can be found here:
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/
The vulnerability is rated CVSS 9.0 (Critical), and a fixed version is available in W3 Total Cache 2.8.13 and later.
We strongly suggest that all clients using the W3 Total Cache plugin with WordPress immediately update that plugin to the latest version.
IMPORTANT: The public proof of concept (PoC) has been released with information on how the vulnerability can be exploited, which may increase the likelihood of compromise attempts.
Nov 24, 2025 - 15:49 CST
More information can be found here:
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/
The vulnerability is rated CVSS 9.0 (Critical), and a fixed version is available in W3 Total Cache 2.8.13 and later.
We strongly suggest that all clients using the W3 Total Cache plugin with WordPress immediately update that plugin to the latest version.
IMPORTANT: The public proof of concept (PoC) has been released with information on how the vulnerability can be exploited, which may increase the likelihood of compromise attempts.
Nov 24, 2025 - 15:49 CST
PHP Services
Operational
LAN
Operational
PHX
Operational
IIS Services
Operational
LAN
Operational
PHX
Operational
MariaDB
Operational
LAN
Operational
PHX
Operational
MSSQL
Operational
LAN
Operational
PHX
Operational
FTP
Operational
LAN
Operational
PHX
Operational
Management Portal
Operational
Management Portal
Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance