A proof-of-concept exploit has been publicly launched for CVE-2025-9501, a crucial, unauthenticated command-injection vulnerability affecting W3 Whole Cache, one in every of WordPress’s most generally deployed caching plugins.
With over 1 million lively installations, the vulnerability poses a big threat to numerous web sites worldwide.
RCE Safety discovers that the flaw exists in W3 Whole Cache’s dynamic content material parsing performance, particularly within the _parse_dynamic_mfunc perform throughout the PgCache_ContentGrabber class.
The weak code makes use of PHP’s eval() perform to execute code derived from cached web page content material, making a direct code injection vector.
Web page Cache is enabled within the plugin
Unauthenticated Command Injection Found
RCESecurity researchers analyzed WPScan’s preliminary advisory and developed a working exploit to validate the vulnerability’s severity.
The vulnerability requires particular circumstances to be exploitable. Attackers should know the W3TC_DYNAMIC_SECURITY fixed worth outlined within the website’s wp-config.php file.
Moreover, web page caching have to be enabled (core performance however disabled by default), and web site feedback have to be permitted for unauthenticated customers.
If these circumstances align, attackers can inject arbitrary PHP code via specifically crafted HTML feedback in cached pages, reaching full distant code execution.
PropertyValueCVE IDCVE-2025-9501Vulnerability TypeUnauthenticated Command Injection / Distant Code ExecutionAffected PluginW3 Whole CacheAffected VersionsVersions with weak code in PgCache_ContentGrabber classAttack VectorCached web page content material with malicious mfunc commentsImpactRemote Code Execution, Full Server CompromiseStatusExploit PoC Launched
When the web page cache processes a request, it invokes the weak _parse_dynamic perform, which searches cached content material for specifically formatted mfunc remark tags.
If an attacker is aware of the W3TC_DYNAMIC_SECURITY worth, they will inject malicious PHP code inside these tags. The code then executes straight on the server, granting attackers shell-level entry.
A easy injection like echo passthru($_GET[1337]) permits command execution.
Whereas technically easy to take advantage of as soon as preconditions are met, the vulnerability’s real-world affect depends upon WordPress administrator practices.
Websites utilizing the W3TC_DYNAMIC_SECURITY characteristic with default values or weak secrets and techniques face heightened threat.
Feedback are enabled for unauthenticated customers
The mixture of widespread plugin adoption and the power to execute arbitrary code positions this as a crucial risk.
RCESecurity recommends that Web site directors utilizing W3 Whole Cache instantly evaluate their safety configurations, flip off the characteristic if unused, or apply out there patches.
The vulnerability underscores the significance of safe coding practices, significantly avoiding dynamic code analysis capabilities like eval() in security-sensitive contexts.
Web site house owners ought to instantly evaluate W3 Whole Cache configurations, replace to patched variations when out there, and take into account disabling dynamic content material caching if it isn’t actively used.
Organizations operating penetration assessments ought to incorporate this vulnerability into their evaluation protocols to determine uncovered situations inside their infrastructure.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
