cleantalk
Vulnerabilities and Security Researches

W3 Total Cache, CVE-2025-9501

CVE, Research URL

CVE-2025-9501

Home page URL

Security reports for W3 Total Cache

Application

W3 Total Cache

Published on
Nov 17, 2025
Research Description
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
Affected versions
max 2.8.13.
Status
vulnerable
Previous vulnerability researches
Post Ticker Ultimate (CVE-2026-6443) , Apr 23, 2026
Post Ticker Ultimate (adef06891bf0c197fcec661504b5c06a996df18d) , Jun 06, 2024
New vulnerability
Events Addon for Elementor (CVE-2025-8150) , Apr 24, 2026
WordPress Infinite Scroll – Ajax Load More (CVE-2025-59582) , Apr 24, 2026
WP Compress – Image Optimizer [All-In-One] (CVE-2025-57899) , Apr 24, 2026
Classified Listing – Classified ads & Business Directory Plugin (CVE-2025-7711) , Apr 24, 2026
Popup Anything – Popup for opt-ins and Lead Generation Conversions (CVE-2026-6443) , Apr 24, 2026