W3 Total Cache, CVE-2025-9501

CVE, Research URL: CVE-2025-9501
Home page URL: Security reports for W3 Total Cache
Application: W3 Total Cache
Published on: Nov 17, 2025
Research Description: The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
Affected versions: max 2.8.13.
Status: vulnerable