WordPress plugin with over a million installs may have a worrying security flaw - here's what we know

News
By published

Critical WordPress plugin flaw allows threat actors to run arbitrary PHP commands

WordPress logo on mobile
(Image credit: Shutterstock)
  • W3 Total Cache plugin flaw CVE-2025-9501 enables unauthenticated PHP command injection
  • Affects all versions before 2.8.13; ~327,000+ sites remain at risk
  • WPScan PoC exploit set for Nov 24, raising mass exploitation concerns

W3 Total Cache (W3TC), a WordPress plugin with more than a million users, carries a critical-severity vulnerability that allows threat actors to fully take over compromised websites, experts have warned.

The bug is described as a command injection flaw that works by submitting a comment with a malicious payload to a post. The attacker does not need to be authenticated on the website in order to inject PHP commands this way.

The vulnerability is now tracked as CVE-2025-9501, and with a severity score of 9.0/10 (critical), it affects all versions of the plugin before 2.8.13.

November 24 deadline

To patch the flaw, users should update their plugin to version 2.8.13, which was released on October 20.

Looking at the data from the Wordpress.org site, it says that 67.3% of pages have updated to version 2.8, while the remaining 32.7% are on older versions. That would put at least 327,000 websites at risk.

However, it doesn’t mean that all 67.3% are running version 2.8.13, so the actual number of vulnerable websites is likely a lot bigger.

In their security advisory, researchers from WPScan, a security scanner built specifically for the WordPress website builder, said they developed a Proof-of-Concept (PoC) exploit for the flaw, and set a deadline for November 24 to publish it. Before that, they expect the majority of websites to have updated their plugins to the secured version.

In many instances, mass exploitation starts the moment a PoC is released, since many threat actors can’t be bothered to develop one themselves, and will simply pick up on whatever is already out there. Therefore, it is crucial for WordPress site owners and admins to update before the deadline.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.