CVE-2025-9501

CRITICAL EXPLOITED

W3 Total Cache <2.8.13 - Command Injection

Title source: llm

Exploitation Summary

CVE-2025-9501 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including InnerFireZ.

AI-analyzed exploit summary This repository contains a functional Python-based PoC for CVE-2025-9501, a pre-authentication RCE vulnerability in W3 Total Cache for WordPress. The exploit automates the discovery of posts with open comments, posts a malicious comment with an mfunc payload, and triggers RCE by visiting the cached page.

Description

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

Exploits (1)

nomisec WORKING POC

by InnerFireZ · remote

https://github.com/InnerFireZ/CVE-2025_9501-POC

View Code ZIP pw:eip

This repository contains a functional Python-based PoC for CVE-2025-9501, a pre-authentication RCE vulnerability in W3 Total Cache for WordPress. The exploit automates the discovery of posts with open comments, posts a malicious comment with an mfunc payload, and triggers RCE by visiting the cached page.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: W3 Total Cache for WordPress

No auth needed

Prerequisites: WordPress site with W3 Total Cache plugin active · Posts with open comments · Accessible wp-comments-post.php

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 26, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/

Scores

CVSS v3 9.0

EPSS 0.0296

EPSS Percentile 86.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2026-05-07

Status published

Products (1)

Unknown/W3 Total Cache < 2.8.13

Published Nov 17, 2025

Tracked Since Feb 18, 2026