A proof-of-concept (PoC) exploit has been released for CVE-2025-9501, a critical command-injection vulnerability in W3 Total Cache, one of the most widely used caching plugins for WordPress.
With over 1 million active installations, this flaw puts a large number of websites at risk.
Researchers at RCE Security found that the issue comes from how W3 Total Cache processes dynamic content. The problem lies in the _parse_dynamic_mfunc function inside the PgCache_ContentGrabber class.
This code uses PHP’s eval() function to execute content pulled from cached pages — which opens the door to direct code injection.
RCE Security analyzed WPScan’s advisory and created a working exploit to confirm how serious the vulnerability is.
However, the attack only works under certain conditions. An attacker must know the value of the W3TC_DYNAMIC_SECURITY constant in the site’s wp-config.php file.
Additionally:
- Page caching must be enabled (it’s core functionality but off by default)
- The website must allow comments from unauthenticated users
If these conditions are met, an attacker can inject malicious PHP code using crafted HTML comments in cached pages — leading to full remote code execution (RCE) on the site.
CVE ID: CVE-2025-9501
Vulnerability Type: Unauthenticated Command Injection / Remote Code Execution
Affected Plugin: W3 Total Cache
Affected Versions: Versions containing the vulnerable code in the PgCache_ContentGrabber class
Attack Vector: Malicious mfunc comments inside cached page content
Impact: Full Remote Code Execution & Potential Server Takeover
Status: PoC Exploit Publicly Released
When W3 Total Cache processes a cached page, it calls the vulnerable _parse_dynamic_mfunc function. This function scans the cached content for special mfunc comment tags.
If an attacker knows the value of the W3TC_DYNAMIC_SECURITY key, they can place malicious PHP code inside these tags. The plugin then executes this code directly on the server, giving the attacker remote command execution.
For example, an attacker could run:
echo passthru($_GET[1337])
Once the required conditions are met, exploitation is straightforward.
The level of risk depends heavily on how administrators configure W3 Total Cache.
Sites that use the W3TC_DYNAMIC_SECURITY feature with default or weak values are especially vulnerable.
Website administrators using W3 Total Cache should update to the latest patched version as soon as possible. If an update isn’t available, temporarily disable the Page Cache feature or restrict comments to logged-in users.
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment