AI description
CVE-2025-9501 is a command injection vulnerability affecting the W3 Total Cache WordPress plugin versions before 2.8.13. This vulnerability exists in the `_parse_dynamic_mfunc` function. It allows unauthenticated users to execute PHP commands on the server. Attackers can exploit this vulnerability by submitting a comment containing a malicious payload to a post on a vulnerable website. Successful exploitation could lead to full site compromise, data theft, malware installation, or website defacement. The vulnerability was patched in version 2.8.13 of the W3 Total Cache plugin.
- Description
- The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
- Source
- contact@wpscan.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 9
- Impact score
- 6
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
NEW THREAT INTEL: Bissa Scanner -- AI-orchestrated mass exploitation of CVE-2025-55182 (Next.js RCE) and CVE-2025-9501 (W3 Total Cache). 9 detections, 29 IOCs. https://t.co/bVuLbIIj1p #ThreatIntel #CyberSecurity #CVE #Nextjs #WordPress https://t.co/w9wVc3LQZj
@threadlinqs
27 Apr 2026
233 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress <= 2.9.1 (CVE-2025-9501) #W3TotalCache #WordPress #RCE #CVE20259501 #PatchBypass https://t.co/PzuAjZ9BD8
@reverseame
17 Mar 2026
557 Impressions
1 Retweet
2 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-9501 - W3 Total Cache WordPress plugin vulnerability https://t.co/CnnFZam0mG https://t.co/GPWxprGpf0
@SirajD_Official
1 Jan 2026
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#VulnerabilityReport #CommandInjection Critical W3 Total Cache Flaw (CVE-2025-9501, CVSS 9.0) Risks Unauthenticated RCE on 1 Million WordPress Sites https://t.co/2uP5gqaobo
@Komodosec
24 Dec 2025
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I’ve updated my blog post about CVE-2025-9501 and included bypasses for all W3 Total Cache versions up to and including the latest 2.8.15. #wordpress #security https://t.co/PVBnKi0rO8
@MrTuxracer
23 Dec 2025
3902 Impressions
9 Retweets
58 Likes
35 Bookmarks
2 Replies
0 Quotes
''Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) | RCE Security'' #infosec #pentest #redteam #blueteam https://t.co/MvjxvEZ4P8
@CyberWarship
19 Dec 2025
2512 Impressions
5 Retweets
25 Likes
12 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501 - W3 Total Cache WordPress plugin vulnerability https://t.co/gVsfMk6Fny https://t.co/q7UmsTTzLF
@CloudVirtues
10 Dec 2025
40 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501 - W3 Total Cache WordPress plugin vulnerability https://t.co/RDITpY8AcU https://t.co/uEEMSjPQmL
@PhotoZel
10 Dec 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚩 Critical flaw in W3 Total Cache (1M+ installs) leaves sites open to PHP command injection https://t.co/X18W7TNqB4 The popular WordPress caching plugin W3 Total Cache (W3TC) suffers from a critical command-injection bug (CVE-2025-9501) that allows unauthenticated attackers
@Huntio
5 Dec 2025
947 Impressions
5 Retweets
14 Likes
2 Bookmarks
0 Replies
0 Quotes
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) | RCE Security https://t.co/pWnblNzoj7
@akaclandestine
26 Nov 2025
1016 Impressions
1 Retweet
2 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 CVE-2025-9501 este o vulnerabilitate critică (CVSS 9.0) de tip Command Injection/ Remote Code Execution (RCE) care afectează plugin-ul W3 Total Cache pentru WordPress. 📌 Detalii complete: https://t.co/o6iBAOzp5C #DNSC #CyberSecurity https://t.co/zFo92SJssI
@DNSC_RO
26 Nov 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) https://t.co/DRVuenXjmO
@_r_netsec
25 Nov 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en complemento de WordPress ❗CVE-2025-9501 ➡️Más info: https://t.co/hqcyZGV98g https://t.co/eGZhiVi7nY
@CERTpy
25 Nov 2025
90 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical WordPress flaw — CVE-2025-9501 — puts over 1M sites at risk of full takeover through the W3 Total Cache plugin. 👉 Schedule an appointment or contact us today! 📞 (949) 379-8499 | 🌐 https://t.co/cjLil4ISP7 #WordPress #CyberSecurity #Technijian #CVE20259501 h
@technijian_
25 Nov 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) https://t.co/DRVuenXjmO
@_r_netsec
24 Nov 2025
645 Impressions
0 Retweets
2 Likes
2 Bookmarks
0 Replies
0 Quotes
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) https://t.co/DRVuenXjmO
@_r_netsec
23 Nov 2025
1034 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501 (CVSS:9.0, CRITICAL) is Awaiting Analysis. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc functi..https://t.co/PEgv7mKcxt #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
22 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
1/10 🚨 Cybersecurity Morning Brief – Nov 21, 2025 Critical unauthenticated RCE in W3 Total Cache (CVE-2025-9501, CVSS 9.0) affects >1M WordPress sites. Exploit via malicious comment → PHP exec. Patch to 2.8.13 NOW. PoC incoming. https://t.co/JXz7WmZDt9 #WordPress #CVE20
@RIPS73R
21 Nov 2025
38 Impressions
0 Retweets
0 Likes
1 Bookmark
1 Reply
0 Quotes
Good news, WordPress friends! A shiny new patch just dropped for W3 Total Cache (CVE-2025-9501) and it squashes that sneaky RCE bug for good! One quick update = total peace of mind. Your site stays fast AND safe — best combo ever! Update today and keep the good vibes rolling!P.
@ImperialTechSvc
21 Nov 2025
37 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Just one-shot'ed reversing CVE-2025-9501, a bug potentially affecting 1M+ WordPress installs, using @HacktronAI. It stems from an eval call reaching user-controllable input. The CVE-2025-9501 agent in Hacktron CLI can now detect similar patterns across other WordPress https://t
@rootxharsh
20 Nov 2025
9036 Impressions
2 Retweets
58 Likes
27 Bookmarks
1 Reply
1 Quote
Warning: Critical command injection in #WordPress plugin #W3TotalCache. CVE-2025-9501 CVSS: 9.0. This vulnerability allows unauthenticated users to execute arbitrary commands by leaving a comment. https://t.co/a2bTlK3OR7 #Patch #Patch #Patch
@CCBalert
20 Nov 2025
58 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
باگ خطرناک پلاگین کَش وردپرس آسیبپذیری بحرانی در افزونه W3 Total Cache وردپرس که بر روی بیش از یک میلیون وبسایت نصب شده است، امکان اجرای دستورات PHP بر روی سرو
@Teeegra
20 Nov 2025
1827 Impressions
0 Retweets
16 Likes
2 Bookmarks
0 Replies
0 Quotes
A critical flaw in W3 Total Cache (1M+ installs) lets attackers inject PHP commands without logging in. Tracked as CVE-2025-9501, it affects all versions < 2.8.13. ~327k sites still unpatched. Public exploit drops Nov 24. #WordPress #CyberSecurity #CVE https://t.co/9NYEDFWraO
@ProgresiveRobot
20 Nov 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Reversing public #security advisories has been a lot of fun lately. Here's an exploit I've built for CVE-2025-9501 that potentially affects 1+ million #WordPress installations: https://t.co/PVBnKi0rO8
@MrTuxracer
20 Nov 2025
8855 Impressions
15 Retweets
100 Likes
52 Bookmarks
0 Replies
0 Quotes
New WordPress Vulnerability: W3 Total Cache CVE-2025-9501 #internet #cybersecurity #wordpress [ Source: https://t.co/38lH5UrzTV ] #rswebsols #WordPressSecurity #W3TotalCache #CVE20259501 #WebDev #CyberThreats https://t.co/FCc1jF8MPx
@rswebsols
20 Nov 2025
69 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501 plugin W3 Total #Hacked #wordpress #CyberSecurity #BugBounty https://t.co/PzJmWaojIX
@Nxploited
20 Nov 2025
124 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
W3 Total Cacheに未認証PHPコマンド注入(CVE-2025-9501) https://t.co/58C9zMPpRm #Security #セキュリティー #ニュース
@SecureShield_
20 Nov 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Falha crítica no W3 Total Cache permite execução remota de PHP: Vulnerabilidade CVE-2025-9501 no plugin W3 Total Cache do WordPress permite que atacantes executem comandos PHP via comentários maliciosos, ameaçando controle total do site; atualização para a versão 2.8.13
@caveiratech
20 Nov 2025
74 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A critical PHP command injection vulnerability (CVE-2025-9501) affects W3 Total Cache versions before 2.8.13, enabling remote code execution via comments. Patch released on Oct 20. #WordPress #PluginRisk #USA https://t.co/x3yjxQtBaN
@TweetThreatNews
19 Nov 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) https://t.co/keRNa3A2XC
@Dinosn
19 Nov 2025
1279 Impressions
1 Retweet
1 Like
4 Bookmarks
0 Replies
0 Quotes
We took @_WPScan_'s one-liner #security advisory for CVE-2025-9501 affecting the W3 Total Cache plugin for #WordPress, analysed its cache parsing internals and built a pre-auth RCE exploit for it 😎 https://t.co/zgCf028Yts #infosec
@rcesecurity
19 Nov 2025
1326 Impressions
3 Retweets
9 Likes
4 Bookmarks
0 Replies
0 Quotes
A critical flaw in W3 Total Cache plugin (CVE-2025-9501) enables remote code execution via malicious PHP in comments, impacting 1M+ WordPress sites using versions before 2.8.13. #WordPressRisk #WebVulnerability #USA https://t.co/KnTcuGs7AS
@TweetThreatNews
18 Nov 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
برای پلاگین W3 Total Cache مربوط به Wordpress ، آسیب پذیری با کد شناسایی CVE-2025-9501 و از نوع Command injection منتشر شده است که یک میلیون وب سایت را تهدید می کند. برای امن سازی ، ب
@EthicalSafe
18 Nov 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL VULNERABILITY: W3 Total Cache WordPress plugin (1M+ sites) has a critical RCE flaw (CVE-2025-9501, CVSS 9.0). Unauthenticated attackers can take over sites via a malicious comment. Update to version 2.8.13 NOW! ⚠️ #WordPress #CyberSecuri... 🔗 https://t.co/Nc
@NetSecIO
18 Nov 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨CVE-2025-9501: Unauthenticated Command Injection in W3 Total Cache Attackers to execute arbitrary PHP commands simply by posting a crafted comment — no authentication required. Search by vul.cve Filter👉vul.cve="CVE-2025-9501" ZoomEye Dork👉app="WordPress W3 Total
@zoomeye_team
18 Nov 2025
4897 Impressions
22 Retweets
63 Likes
31 Bookmarks
1 Reply
0 Quotes
🚨🚨CVE-2025-9501: Unauthenticated Command Injection in W3 Total Cache Attackers to execute arbitrary PHP commands simply by posting a crafted comment — no authentication required. Search by vul.cve Filter👉vul.cve="CVE-2025-9501" ZoomEye Dork👉app="WordPress W3 Total
@zoomeye_team
18 Nov 2025
317 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501: Command Injection in W3 Total Cache plugin, 9.0 rating 🔥 A vulnerability in a popular website speedup plugin allows attackers to remotely execute PHP code. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/CympXBUuLD https://t.co/7ypgKwCqlh
@Netlas_io
18 Nov 2025
671 Impressions
4 Retweets
3 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501 Unauthenticated Command Injection in W3 Total Cache WordPress Plugin Before 2.8.13 https://t.co/V5Zwdq4LyV
@VulmonFeeds
17 Nov 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-9501 The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PH… https://t.co/RLY3gCMJ9C
@CVEnew
17 Nov 2025
458 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes