- W3 Complete Cache plugin flaw CVE-2025-9501 allows unauthenticated PHP command injection
- Impacts all variations earlier than 2.8.13; ~327,000+ websites stay in danger
- WPScan PoC exploit set for Nov 24, elevating mass exploitation considerations
W3 Complete Cache (W3TC), a WordPress plugin with greater than 1,000,000 customers, carries a critical-severity vulnerability that permits risk actors to completely take over compromised web sites, consultants have warned.
The bug is described as a command injection flaw that works by submitting a remark with a malicious payload to a submit. The attacker doesn’t have to be authenticated on the web site with a view to inject PHP instructions this manner.
The vulnerability is now tracked as CVE-2025-9501, and with a severity rating of 9.0/10 (crucial), it impacts all variations of the plugin earlier than 2.8.13.
November 24 deadline
To patch the flaw, customers ought to replace their plugin to model 2.8.13, which was launched on October 20.
Wanting on the information from the WordPress.org website, it says that 67.3% of pages have up to date to model 2.8, whereas the remaining 32.7% are on older variations. That will put at the least 327,000 web sites in danger.
Nonetheless, it doesn’t imply that each one 67.3% are operating model 2.8.13, so the precise variety of susceptible web sites is probably going so much larger.
Of their safety advisory, researchers from WPScan, a safety scanner constructed particularly for the WordPress web site builder, stated they developed a Proof-of-Idea (PoC) exploit for the flaw, and set a deadline for November 24 to publish it. Earlier than that, they count on nearly all of web sites to have up to date their plugins to the secured model.
In lots of situations, mass exploitation begins the second a PoC is launched, since many risk actors can’t be bothered to develop one themselves, and can merely decide up on no matter is already on the market. Subsequently, it’s essential for WordPress website homeowners and admins to replace earlier than the deadline.
By way of BleepingComputer
The most effective antivirus for all budgets
Observe TechRadar on Google Information and add us as a most well-liked supply to get our knowledgeable information, evaluations, and opinion in your feeds. Ensure that to click on the Observe button!
And naturally you can too comply with TechRadar on TikTok for information, evaluations, unboxings in video kind, and get common updates from us on WhatsApp too.
