W3 Total Cache Plugin Vulnerability Exposes Sites to PHP Injection Risks
- CVE-2025-9501 vulnerability permits unauthenticated PHP command injection.
- All versions prior to 2.8.13 are affected; approximately 327,000+ websites are vulnerable.
- WPScan plans to release an exploit on November 24, escalating mass exploitation fears.
The W3 Total Cache (W3TC) plugin, utilized by over a million WordPress users, harbors a significant vulnerability that could allow malicious actors to seize control of affected websites, cybersecurity experts have alerted.
This flaw, classified as a command injection vulnerability, enables an assailant to execute PHP commands by submitting a tainted comment to a post. Alarmingly, authentication is not required, facilitating unauthorized access.
Designated as CVE-2025-9501, the vulnerability boasts a critical severity rating of 9.0 out of 10 and impacts all versions released before 2.8.13.
Imminent November 24 Deadline
To mitigate this risk, users are advised to upgrade to version 2.8.13, which became available on October 20.
Data from WordPress.org indicates that while 67.3% of installations have updated to version 2.8, the remaining 32.7% are still vulnerable. This translates to at least 327,000 sites at continued risk.
Notably, the statistic does not guarantee that all of the updated installations are safe with version 2.8.13, suggesting a potentially higher number of vulnerable websites still exist.
According to WPScan’s security advisory, a Proof-of-Concept (PoC) exploit is set for release on November 24. Prior to this date, they anticipate that many site administrators will secure their plugins with the updated version.
Historically, the release of a PoC often triggers mass exploitation, as numerous threat actors opt for readily available exploits rather than developing their own. Thus, it is imperative for WordPress site proprietors and administrators to enact updates without delay.
Source link: Techradar.com.
