CVE-2013-2010

CRITICAL

W3 Total Cache < 0.9.2.8 - Remote PHP Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-2010. PoCs published by Metasploit, spyata123, Unknown, juan vazquez, hdm, Christian Mehlmauer, including Metasploit module exploits/unix/webapp/wp_total_cache_exec.

AI-analyzed exploit summary This Metasploit module exploits a PHP code injection vulnerability in WordPress W3 Total Cache (up to 0.9.2.8) by injecting malicious code via comment macros. It supports both authenticated and unauthenticated exploitation, with options for brute-forcing post IDs.

Description

WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/25137

This Metasploit module exploits a PHP code injection vulnerability in WordPress W3 Total Cache (up to 0.9.2.8) by injecting malicious code via comment macros. It supports both authenticated and unauthenticated exploitation, with options for brute-forcing post IDs.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress W3 Total Cache <= 0.9.2.8
No auth needed
Prerequisites: WordPress with W3 Total Cache plugin installed · Comments enabled · Post ID (or brute-force capability)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by spyata123 · poc
https://github.com/spyata123/w3-total-cache-cve-2013-2010

This is a Python-based exploit for CVE-2013-2010, targeting a Remote Code Execution (RCE) vulnerability in the W3 Total Cache WordPress plugin. The exploit sends a malicious payload via a crafted comment to execute arbitrary PHP code.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: W3 Total Cache WordPress plugin (versions prior to 0.9.2.4)
No auth needed
Prerequisites: Target must have W3 Total Cache plugin installed and vulnerable · WordPress comment functionality must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Unknown, juan vazquez, hdm, Christian Mehlmauer · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_total_cache_exec.rb

This Metasploit module exploits a PHP code injection vulnerability in WordPress W3 Total Cache (up to 0.9.2.8) via malicious comment injection using the 'mfunc' macro. It supports authenticated and unauthenticated exploitation, with options for brute-forcing post IDs.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress W3 Total Cache <= 0.9.2.8
No auth needed
Prerequisites: WordPress with W3 Total Cache plugin vulnerable version · Comments enabled on a post · Comments not moderated (if unauthenticated)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/59316
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://www.exploit-db.com/exploits/25137
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2013/04/24/9

Scores

CVSS v3 9.8
EPSS 0.8166
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (2)
automattic/wp_super_cache < 1.2
boldgrid/w3_total_cache < 0.9.2.8
Published Feb 12, 2020
Tracked Since Feb 18, 2026