Cyber Resilience

CVE-2025-9501

Critical

Published: 17 November 2025

Published
17 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0283 86.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9501 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The W3 Total Cache WordPress plugin before version 2.8.13 contains a command injection vulnerability in the _parse_dynamic_mfunc function. This flaw resides in a widely deployed caching plugin for WordPress sites and carries a CVSS 3.1 score of 9.0.

Unauthenticated remote attackers can exploit the issue by submitting a crafted comment containing a malicious payload to any post on an affected site, resulting in execution of arbitrary PHP commands with the privileges of the web server process.

The referenced WPScan advisory identifies the affected plugin versions and indicates that the issue is resolved in release 2.8.13.

EPSS scores remain low, with a current value of 0.0283 and a peak of 0.0380.

EU & UK References

Vulnerability details

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a command injection in a public-facing WordPress plugin, allowing unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection flaw in the W3 Total Cache plugin's _parse_dynamic_mfunc function by requiring timely patching to version 2.8.13 or later.

prevent

Enforces validation and sanitization of unauthenticated user inputs like comments to block malicious payloads that trigger PHP command execution.

detect

Enables vulnerability scanning to identify the command injection issue in vulnerable W3 Total Cache versions for prioritized remediation.

References