—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Command Injection Vulnerability in W3 Total Cache WordPress Plugin

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

 

·         W3 Total Cache WordPress plugin versions prior to 2.8.13

 

Overview

A critical vulnerability has been reported in the W3 Total Cache WordPress plugin, which could allow an unauthenticated, remote attacker to execute arbitrary PHP code on the targeted system.

 

Target Audience:

Administrators and organisations using WordPress websites with the W3 Total Cache plugin installed.

 

Risk Assessment:

High likelihood of exploitation due to unauthenticated access through public comment submission.

 

Impact Assessment:

Potential data theft, malware deployment, or complete website takeover.

 

Description

 

W3 Total Cache is a widely used WordPress plugin intended to improve website performance through caching, minification, and CDN integration.

 

A command injection vulnerability exists in the plugin due to improper input sanitisation in the parse_dynamic_mfunc (also referenced as _parse_dynamic_mfunc) function. The flaw allows user-supplied input—especially via publicly accessible comment forms—to be processed as executable PHP code.

 

An unauthenticated attacker can deliver a specially crafted comment containing malicious payloads. When processed by the vulnerable function, these payloads result in arbitrary PHP command execution on the server.

 

Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to execute arbitrary PHP code on the targeted system.

 

Solution

 

Apply appropriate updates as mentioned in:

https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/

Vendor Information

WPScan

https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/

 

References

 

WPScan

https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/

 

CVE Name

CVE-2025-9501

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkgh50ACgkQ3jCgcSdc

ys9+rQ/9FF8YWOocc/HPhHi8NQ5t/xrT+RzhlVcxFx5SezQy4vlJNNPzlzwf9ZRq

fdPujzJ1DGetO4Z0Tf//YBjsKflOrCGgEJFHHehayUmIHYdSIUs6zmN9GKH/VEa1

gUN/P2N8apHWH2DbmUOiG0z1MCNXWx5ZHwetYl7NrFIMP5/OtcBssuzwlieh2fWy

t9+Cm+xEOaDsjvI2p9sytJ63am8DPXnmHJ8by3z0iHQEGlyXrtfnpHGI4vxnbcPr

RNCY95IIlxyXGC0PsyQ4fadDX8jkZS5Dx159I9WwsnGlITAqGsSh/YStBxwfeyNn

bUS8KRDYYtZbuWlXh6wfV48l4uwUBFznyYRAzC+AThEUE/DY+kTCxXepiNfNpUlj

LOmBKGD4YbTusJXOv7n6KL3/w6hcLLL1ACQZsc1o3ffc2xy13j5X8OZlgFP8UHzR

BXXbUa53aEHUX+CO5AJ0uWoeBoPx75rB9Vy5YDlqskyXdlTEG9G0tUO06ccXS5jR

849MNgH2NIOx1IpScZaxaUF8pwWSCiXjMfUIXYWNDonF9D3r11sHbxohG0jE4oNs

5SwCUq4dmoRAuq/0G8M+eTyG3fcWqhvLieLv7i/5wNyCUSZJKd3bn+CdwFf3+B9T

TIvl1n0csvSSd1CtbltQcJ12u43FBNbIpz7vFKSbdUndC35FlHE=

=SboB

—–END PGP SIGNATURE—–