CVE-2025-9501 | THREATINT

Description

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

PUBLISHED Reserved 2025-08-26 | Published 2025-11-17 | Updated 2025-11-17 | Assigner WPScan

Problem types

CWE-78 OS Command Injection

Product status

Default status

unaffected

Any version before 2.8.13

affected

Credits

wcraft finder

WPScan coordinator

References

wpscan.com/...rability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/ exploit vdb-entry technical-description

cve.org (CVE-2025-9501)

nvd.nist.gov (CVE-2025-9501)

Download JSON