PoC Released for W3 Total Cache RCE Vulnerability Exposing 1+ Million Websites

Security researchers have published a proof-of-concept exploit for a critical remote code execution vulnerability in W3 Total Cache, one of WordPress’s most popular caching plugins with over one million active installations.

The flaw, tracked as CVE-2025-9501, enables attackers to execute arbitrary code on vulnerable websites, triggering immediate patch deployment across the ecosystem.

Vulnerability Details

Field	Details
CVE ID	CVE-2025-9501
Affected Product	W3 Total Cache Plugin for WordPress
Affected Versions	Versions prior to patch (1M+ installations)
Vulnerability Type	Unauthenticated Command Injection / Remote Code Execution
CVSS Score	Critical (9.0+)
Attack Vector	Network / Unauthenticated
Discoverer	Researcher “wcraft”; analyzed by Julien Ahrens (RCE Security)

The vulnerability stems from an unauthenticated command injection flaw in W3 Total Cache’s page-caching mechanism.

Specifically, the flaw exists in the plugin’s _parse_dynamic_mfunc function within the PgCache_ContentGrabber class.

This function uses PHP’s eval() function to execute code contained in specially formatted comments within cached pages.

The exploitation chain requires attackers to inject malicious code via WordPress comments that use the mfunc tag format.

Once the page is cached, the plugin processes these comments and automatically executes the embedded code whenever the cached page is served to visitors.

This creates a persistent code execution vector affecting all site visitors.

Successful exploitation depends on three critical conditions. First, attackers must know the value of the W3TC_DYNAMIC_SECURITY constant, a unique security string defined in the WordPress configuration file. Without this secret value, the attack cannot proceed.

Second, WordPress comments must be enabled for unauthenticated users. If comments are disabled or require authentication, exploitation requires authenticated comment privileges.

Third, the Page Cache feature must be enabled in W3 Total Cache. While this is the plugin’s core functionality, it remains disabled by default on fresh installations.

These prerequisites significantly reduce the attack surface; however, sites that meet these conditions remain vulnerable to complete system compromise, allowing attackers to gain full control over WordPress installations and steal sensitive data, install backdoors, or execute further attacks.

Website administrators using W3 Total Cache should immediately update to the latest patched version.

If updates are unavailable, temporary mitigations include disabling the Page Cache feature or restricting comment functionality to authenticated users only.

Organizations should also review their W3TC_DYNAMIC_SECURITY constant configuration, ensuring it uses substantial, unpredictable values rather than defaults.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post PoC Released for W3 Total Cache RCE Vulnerability Exposing 1+ Million Websites appeared first on Cyber Security News.