Critical Unauthenticated RCE Vulnerability in W3 Total Cache WordPress Plugin (CVE-2025-9501)
A critical vulnerability (CVE-2025-9501) has been identified in the W3 Total Cache WordPress plugin, affecting versions prior to 2.8.13. This flaw allows unauthenticated attackers to execute arbitrary PHP commands on affected sites by submitting a specially crafted comment, exploiting the _parse_dynamic_mfunc function. The vulnerability has been assigned a CVSS score of 9.0, indicating a high risk of remote code execution, and potentially impacts up to 1 million WordPress sites using the vulnerable plugin version.
Security researchers warn that exploitation of this vulnerability could allow attackers to fully compromise WordPress installations without authentication, leading to site defacement, data theft, or further malware deployment. Administrators are strongly advised to update W3 Total Cache to version 2.8.13 or later to mitigate the risk, as the vulnerability is remotely exploitable and poses a significant threat to a large number of websites.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Technical exploitation details for CVE-2025-9501 are published
Researchers disclosed that the bug stems from eval() use in the _parse_dynamic_mfunc function and can be exploited through crafted comments when the W3TC_DYNAMIC_SECURITY secret is known, comments are enabled, and Page Cache is active. A working pre-auth RCE exploit was confirmed and published, providing concrete technical details about exploitability.
CVE-2025-9501 is publicly disclosed as a critical W3 Total Cache flaw
Public reporting identified CVE-2025-9501 as a critical vulnerability in W3 Total Cache versions before 2.8.13, affecting a plugin with more than 1 million WordPress installations. The flaw was described as an unauthenticated command injection with a CVSS score of 9.0.
Researcher reports CVE-2025-9501 in W3 Total Cache to WPScan
The unauthenticated command injection flaw later assigned CVE-2025-9501 was originally reported by researcher wcraft to WPScan. The issue affected W3 Total Cache and could lead to remote code execution under certain plugin configurations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501)
rcesecurity.com
Open sourceW3 Total Cache WordPress plugin vulnerable to PHP command injection
bleepingcomputer.com
Open sourceCritical W3 Total Cache Flaw (CVE-2025-9501, CVSS 9.0) Risks Unauthenticated RCE on 1 Million WordPress Sites
securityonline.info
Open sourceCVE-2025-9501 - W3 Total Cache < 2.8.13 - Unauthenticated Command Injection
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Unauthenticated File Upload RCE in WPvivid Backup & Migration (CVE-2026-1357)
A **critical vulnerability in the WordPress plugin *WPvivid Backup & Migration*** (aka *Migration, Backup, Staging – WPvivid Backup & Migration*) allows **unauthenticated arbitrary file upload leading to remote code execution (RCE)** on affected sites. Tracked as **CVE-2026-1357** with **CVSS 9.8**, the issue impacts plugin versions **<= 0.9.123** and is tied to the plugin’s remote transfer functionality (`send_to_site()` / `wpvivid_action=send_to_site`), which processes incoming backup data from other sites. Technical details indicate the exploit chain combines **broken cryptographic error handling** with **unsafe file write behavior**: when `openssl_private_decrypt()` fails, execution continues and a `false` value is passed into AES initialization, which is treated as a predictable **null-byte key**. Attackers can craft payloads encrypted with this null-byte key to bypass intended protections, then leverage missing file validation (and reported lack of filename/path sanitization enabling **directory traversal**) to write attacker-controlled files (e.g., PHP web shells) into web-accessible locations, enabling full site takeover and data access (including database contents).
Mar 21, 2026
Unauthenticated Remote Code Execution in Advanced Custom Fields: Extended WordPress Plugin
A critical unauthenticated remote code execution vulnerability has been identified in the *Advanced Custom Fields: Extended* plugin for WordPress, affecting versions 0.9.0.5 through 0.9.1.1. The flaw resides in the `prepare_form()` function, which improperly handles user input by passing it directly to `call_user_func_array()`, enabling attackers to execute arbitrary code on the server without authentication. This vulnerability allows threat actors to inject backdoors, create new administrative accounts, and potentially take full control of affected WordPress sites. Security researchers warn that exploitation of this vulnerability could lead to complete compromise of website integrity and confidentiality, including data theft and malware installation. Administrators are strongly advised to update the plugin to a secure version, implement Zero Trust security models, enable multi-factor authentication for admin accounts, and harden PHP configurations. The vulnerability is mapped to MITRE ATT&CK techniques T1059 (Command and Scripting Interpreter) and T1190 (Exploit Public-Facing Application).
Mar 21, 2026
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026