- W3 Total Cache plugin flaw CVE-2025-9501 enables unauthenticated PHP command injection
- Affects all versions before 2.8.13; ~327,000+ sites remain at risk
- WPScan PoC exploit set for Nov 24, raising mass exploitation concerns
W3 Total Cache (W3TC), a WordPress plugin with more than a million users, carries a critical-severity vulnerability that allows threat actors to fully take over compromised websites, experts have warned.
The bug is described as a command injection flaw that works by submitting a comment with a malicious payload to a post. The attacker does not need to be authenticated on the website in order to inject PHP commands this way.
The vulnerability is now tracked as CVE-2025-9501, and with a severity score of 9.0/10 (critical), it affects all versions of the plugin before 2.8.13.
November 24 deadline
To patch the flaw, users should update their plugin to version 2.8.13, which was released on October 20.
Looking at the data from the WordPress.org site, it says that 67.3% of pages have updated to version 2.8, while the remaining 32.7% are on older versions. That would put at least 327,000 websites at risk.
However, it doesn’t mean that all 67.3% are running version 2.8.13, so the actual number of vulnerable websites is likely a lot bigger.
In their security advisory, researchers from WPScan, a security scanner built specifically for the WordPress website builder, said they developed a Proof-of-Concept (PoC) exploit for the flaw, and set a deadline for November 24 to publish it. Before that, they expect the majority of websites to have updated their plugins to the secured version.
In many instances, mass exploitation starts the moment a PoC is released, since many threat actors can’t be bothered to develop one themselves, and will simply pick up on whatever is already out there. Therefore, it is crucial for WordPress site owners and admins to update before the deadline.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/7NLZKWEKmFLJVAH4nubeaX-970-80.jpg
Source link
