CVE-2025-9501
Published: 17 November 2025
Summary
CVE-2025-9501 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The W3 Total Cache WordPress plugin before version 2.8.13 contains a command injection vulnerability in the _parse_dynamic_mfunc function. This flaw resides in a widely deployed caching plugin for WordPress sites and carries a CVSS 3.1 score of 9.0.
Unauthenticated remote attackers can exploit the issue by submitting a crafted comment containing a malicious payload to any post on an affected site, resulting in execution of arbitrary PHP commands with the privileges of the web server process.
The referenced WPScan advisory identifies the affected plugin versions and indicates that the issue is resolved in release 2.8.13.
EPSS scores remain low, with a current value of 0.0283 and a peak of 0.0380.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-197764
Vulnerability details
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in a public-facing WordPress plugin, allowing unauthenticated remote code execution, directly mapping to exploitation of public-facing applications.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the command injection flaw in the W3 Total Cache plugin's _parse_dynamic_mfunc function by requiring timely patching to version 2.8.13 or later.
Enforces validation and sanitization of unauthenticated user inputs like comments to block malicious payloads that trigger PHP command execution.
Enables vulnerability scanning to identify the command injection issue in vulnerable W3 Total Cache versions for prioritized remediation.