Search
Get in Touch
News

WordPress plugin with over a million installs may have a worrying security flaw – here’s what we know

TechRadar
TechRadar
  • W3 Total Cache plugin flaw CVE-2025-9501 enables unauthenticated PHP command injection
  • Affects all versions before 2.8.13; ~327,000+ sites remain at risk
  • WPScan PoC exploit set for Nov 24, raising mass exploitation concerns

W3 Total Cache (W3TC), a WordPress plugin with more than a million users, carries a critical-severity vulnerability that allows threat actors to fully take over compromised websites, experts have warned.

The bug is described as a command injection flaw that works by submitting a comment with a malicious payload to a post. The attacker does not need to be authenticated on the website in order to inject PHP commands this way.

The vulnerability is now tracked as CVE-2025-9501, and with a severity score of 9.0/10 (critical), it affects all versions of the plugin before 2.8.13.

November 24 deadline

To patch the flaw, users should update their plugin to version 2.8.13, which was released on October 20.

Looking at the data from the Wordpress.org site, it says that 67.3% of pages have updated to version 2.8, while the remaining 32.7% are on older versions. That would put at least 327,000 websites at risk.

However, it doesn’t mean that all 67.3% are running version 2.8.13, so the actual number of vulnerable websites is likely a lot bigger.

In their security advisory, researchers from WPScan, a security scanner built specifically for the WordPress website builder, said they developed a Proof-of-Concept (PoC) exploit for the flaw, and set a deadline for November 24 to publish it. Before that, they expect the majority of websites to have updated their plugins to the secured version.

In many instances, mass exploitation starts the moment a PoC is released, since many threat actors can’t be bothered to develop one themselves, and will simply pick up on whatever is already out there. Therefore, it is crucial for WordPress site owners and admins to update before the deadline.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Read more @ TechRadar

Previous article
I love this Hisense Dolby Atmos soundbar, and it just won Black Friday with this record-low deal
Next article
PrivadoVPN vs. FastestVPN: Which $1 Black Friday deal is right for you?
TechRadar
TechRadar

Latest posts

Hannibal creator Bryan Fuller wanted his first film to be horror for everyone

The Verge - 0
When Bryan Fuller set out to make his first feature film, his goal was to make the kind of family-friendly scares that he loved...

Hisense’s CanvasTV is a great Samsung Frame TV alternative at nearly half off

The Verge - 0
Hisense’s S7N CanvasTV is nearly $600 off. Samsung’s Frame TV is one of the coolest-looking TVs you can buy, doubling as wall art when you’re...

Google Translate brings real-time speech translations to any headphones

The Verge - 0
Google Translate's latest update brings live speech translations, originally available only on the Pixel Buds, to any headphones you want, with support for over...

Director found guilty of scamming Netflix out of $11 million

The Verge - 0
Hollywood director Carl Erik Rinsch was convicted of scamming $11 million from Netflix to spend on luxury items, including five Rolls-Royces and a Ferrari,...

Mmm, Qi donuts

The Verge - 0
Eat at your own risk. | Image: Ikea After announcing new Matter-compatible smart home devices and stylish wireless speakers over the past few months, Ikea...

iOS 26.2 is here with Liquid Glass, AirDrop, and Apple Music updates

The Verge - 0
Today, Apple officially released iOS 26.2 for iPhone 11 and newer devices, which includes new Lock Screen customizations for you to adjust the opacity...

Doom studio id Software forms ‘wall-to-wall’ union, with a majority of employees voting in favor

Engadget - 0
Id Software, the company behind Doom, has voted in favor of forming a "wall-to-wall" union. The term "wall-to-wall" refers to a union that includes...

Google Translate is now better at translating slang terms and idioms using AI

Engadget - 0
Google is rolling out new Gemini-assisted functionality to Search and its Translate app. It says its AI can now provide more natural and accurate...

Clair Obscur: Expedition 33 devs dropped a big update after sweeping The Game Awards

Engadget - 0
Sandfall Interactive, the developer of Clair Obscur: Expedition 33, knows how to ride the wave. Right after the visually stunning RPG finished dominating The...

IKEA’s new wireless charger is as cute as it is practical

Engadget - 0
IKEA's revamp of its smart home products doesn't end with Matter support. The furniture and home goods company also has a line of new...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!

The AIVAnet is a collector and classifier of app news articles and online technology news, which works automatically by collecting and collating the RSS feeds from popular sites (IOS news feed,latest tablet news, etc.).

The articles deal with mobile app reviews, especially with android reviews, and IOS. One of the central thematic axes is also the comparisons. You can find articles with tablet reviews, comparisons and mobile OS systems or mobile OS stats.

We also provide some of the most popular app news express, for android and IOS or windows phone. The online technology news that you can find in our pages are just opinions and ideology, allowing you to see how different news agencies present the same news.

AIVAnet is supported by Cloud Services Store

About Us

© AIVAnet | All rights reserved