Unauthenticated PHP Code Injection in W3 Total Cache

This repository is a small standalone Python proof-of-concept exploit for CVE-2025-9501, described in the code as a pre-authenticated remote code execution issue in the W3 Total Cache WordPress plugin. The repository contains only two files: a minimal README and the main exploit script, poc_cve_2025_9501.py. The Python script is the clear entry point and implements the full exploitation workflow. The exploit logic is structured around several stages. First, it verifies or assumes the target is a WordPress site using W3 Total Cache. It then discovers candidate posts that allow unauthenticated comments, primarily through the WordPress REST API endpoint /wp-json/wp/v2/posts and secondarily by scraping the homepage and individual article pages for post IDs and comment form markers. Once a suitable post is found, it submits a malicious comment to /wp-comments-post.php. The comment body contains a W3 Total Cache mfunc block wrapping PHP code, with the default payload echo passthru($_GET['cmd']);. This means arbitrary OS commands can be supplied later through the cmd query parameter. After comment injection, the script triggers execution by requesting the target post URL in the form /?p={post_id}&cmd={cmd}. If the vulnerable caching behavior processes the injected mfunc block, the supplied command executes on the server and its output is returned in the HTTP response. The script supports using a provided secret, attempting to brute-force common secrets, and optionally trying to extract the secret from wp-config.php exposure. Based on the visible code and CLI options, this is an actual exploit rather than a detector. It is operational but not heavily weaponized: it includes a working hardcoded PHP command-execution payload and some automation for discovery and secret handling, but it is still a simple standalone PoC rather than a framework-integrated exploit.