PoC Published for W3 Total Cache Flaw Putting 1M+ Websites At Risk Of Remote Code Execution

Security researchers released a proof-of-concept exploit for CVE-2025-9501, a critical unauthenticated remote code execution flaw in the W3 Total Cache WordPress plugin.

This vulnerability affects over 1 million sites and allows attackers to run arbitrary PHP code via simple comments.​

Vulnerability Breakdown

The flaw affects versions of W3 Total Cache before 2.8.13, a popular plugin for speeding up WordPress sites through caching.

It stems from improper handling of dynamic content in the PgCache_ContentGrabber class’s _parse_dynamic_mfunc function, which uses PHP’s eval() to process code from comments.

Attackers craft malicious comments matching this pattern: <!– mfunc [W3TC_DYNAMIC_SECURITY] –>[malicious PHP code]<!– /mfunc [W3TC_DYNAMIC_SECURITY] –>, where W3TC_DYNAMIC_SECURITY is a secret string set in wp-config.php.

Once injected, the plugin’s page cache feature processes the comment during page serving, leading to code execution like echo passthru($_GET).

This requires three conditions: page caching enabled (standard default), comments open to unauthenticated users, and knowledge of the security constant often guessable from docs or leaks.

CVSS score is 9.0 (critical), with network access, no privileges required, and high impact on confidentiality, integrity, and availability.

​Exploitation and Fixes

Exploitation starts with posting a tainted comment on any page, then caching it server-side on persistently exploit all visitors.

If comments require login, it drops to authenticated RCE, which is still risky for admins. Researcher Julien Ahrens from RCE Security dissected the preg_replace_callback in _parse_dynamic, confirming the eval sink.

Site owners must update to 2.8.13 immediately, as PoC availability spikes real-world attacks.

Workarounds include disabling page cache, closing comments to guests, or randomizing W3TC_DYNAMIC_SECURITY to long secrets.

Scan for vulnerable installs via headers or Shodan, and monitor logs for mfunc patterns to catch attempts.

This flaw underscores the risks of caching plugins; always pair performance tools with tight security configurations. WordPress teams fixed it swiftly, but mass scans loom after the PoC.