By rssfeeds-admin 
The flaw, tracked as CVE-2025-9501, enables attackers to execute arbitrary code on vulnerable websites, triggering immediate patch deployment across the ecosystem.
Vulnerability Details
| Field | Details |
|---|---|
| CVE ID | CVE-2025-9501 |
| Affected Product | W3 Total Cache Plugin for WordPress |
| Affected Versions | Versions prior to patch (1M+ installations) |
| Vulnerability Type | Unauthenticated Command Injection / Remote Code Execution |
| CVSS Score | Critical (9.0+) |
| Attack Vector | Network / Unauthenticated |
| Discoverer | Researcher “wcraft”; analyzed by Julien Ahrens (RCE Security) |
The vulnerability stems from an unauthenticated command injection flaw in W3 Total Cache’s page-caching mechanism.
Specifically, the flaw exists in the plugin’s _parse_dynamic_mfunc function within the PgCache_ContentGrabber class.
This function uses PHP’s eval() function to execute code contained in specially formatted comments within cached pages.
The exploitation chain requires attackers to inject malicious code via WordPress comments that use the mfunc tag format.
Once the page is cached, the plugin processes these comments and automatically executes the embedded code whenever the cached page is served to visitors.
This creates a persistent code execution vector affecting all site visitors.
Successful exploitation depends on three critical conditions. First, attackers must know the value of the W3TC_DYNAMIC_SECURITY constant, a unique security string defined in the WordPress configuration file. Without this secret value, the attack cannot proceed.
Second, WordPress comments must be enabled for unauthenticated users. If comments are disabled or require authentication, exploitation requires authenticated comment privileges.
Third, the Page Cache feature must be enabled in W3 Total Cache. While this is the plugin’s core functionality, it remains disabled by default on fresh installations.
These prerequisites significantly reduce the attack surface; however, sites that meet these conditions remain vulnerable to complete system compromise, allowing attackers to gain full control over WordPress installations and steal sensitive data, install backdoors, or execute further attacks.
Website administrators using W3 Total Cache should immediately update to the latest patched version.
If updates are unavailable, temporary mitigations include disabling the Page Cache feature or restricting comment functionality to authenticated users only.
Organizations should also review their W3TC_DYNAMIC_SECURITY constant configuration, ensuring it uses substantial, unpredictable values rather than defaults.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post PoC Released for W3 Total Cache RCE Vulnerability Exposing 1+ Million Websites appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.