W3 Total Cache unauthenticated command injection (CVE-2025-9501)
Vulnerability
Summary
Hide ▲
Show ▼
A critical W3 Total Cache (W3TC) flaw lets attackers use unauthenticated command injection through a malicious comment payload, potentially giving them full control of affected WordPress servers. The issue is CVE-2025-9501 and affects all versions prior to 2.8.13. A fixed release, 2.8.13, is available.
Related Happenings
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/Mitigation
First: 10.10.2025 22:08
Last: 10.10.2025 22:08
Sources 1
About this happening:
**CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/MitigationAbout this happening: **CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
CISA KEV addition for Smartbedded Meteobridge CVE-2025-4008
Public Sector Action
First: 03.10.2025 11:23
Last: 03.10.2025 11:23
Sources 1
About this happening:
CISA added **CVE-2025-4008** in **Smartbedded Meteobridge** to the **KEV catalog**, signaling **active exploitation** and requiring **FCEB agencies** to apply updates by **October...
CISA KEV addition for Smartbedded Meteobridge CVE-2025-4008
Public Sector ActionAbout this happening: CISA added **CVE-2025-4008** in **Smartbedded Meteobridge** to the **KEV catalog**, signaling **active exploitation** and requiring **FCEB agencies** to apply updates by **October...
Timeline
-
19.11.2025 19:34 1 articles · 6mo ago
W3 Total Cache 2.8.13 patch release
Mitigation Patch UpdateW3 Total Cache released version 2.8.13 on October 20 to fix CVE-2025-9501, a critical unauthenticated command injection flaw in the WordPress plugin that affects all versions prior to 2.8.13.
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
-
19.11.2025 19:34 2 articles · 6mo ago
CVE-2025-9501 disclosed in W3 Total Cache
Initial DisclosureWPScan highlighted CVE-2025-9501 in the W3 Total Cache WordPress plugin on November 19, describing a comment-based malicious payload that can trigger _parse_dynamic_mfunc() to run PHP commands on the server without authentication; the flaw affects all versions prior to 2.8.13, WPScan said it would publish a proof-of-concept exploit on November 24, and site operators were advised to upgrade to 2.8.13 or deactivate the plugin until protected.
Show sources
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34
- W3 Total Cache WordPress plugin vulnerable to PHP command injection — www.bleepingcomputer.com — 19.11.2025 19:34