A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.

The vulnerability, tracked as CVE-2025–9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection.

W3TC is installed on more than one million websites to increase performance and reduce load times.