If you run a WordPress site, you need to check your plugins immediately. Security experts have discovered a massive flaw in W3 Total Cache (W3TC), a popular performance tool used by over a million websites. This vulnerability allows attackers to seize full control of a site simply by posting a malicious comment.
The developers fixed the issue in version 2.8.13, released on October 20. If you haven’t updated since then, your site is at risk. Researchers tracked this bug as CVE-2025-9501 and gave it a severity score of 9.0 out of 10. It is a “command injection” flaw. To exploit it, a hacker submits a comment containing a specific malicious payload. They don’t need a password, an account, or administrator approval to do this. Once the system processes the comment, the hidden code executes PHP commands, effectively handing the attacker the keys to the server.
The numbers suggest many people are still vulnerable. WordPress.org data shows that 67.3% of users are on version 2.8, but this statistic doesn’t confirm whether they have the specific .13 patch. Meanwhile, 32.7% are definitely on older, unsafe versions. This means at least 327,000 websites are wide open to attack right now, though the real number is likely much higher.
Time is running out to fix this. WPScan, the security team that found the bug, created a Proof of Concept (PoC) to demonstrate the attack. They plan to publish this exploit code on November 24. They set this deadline to give site owners a head start on patching.
History shows that mass attacks usually begin the moment a PoC becomes public. Lazy hackers often wait for these releases so they don’t have to write their own code. Once the details drop on Sunday, bots will likely scour the web for unpatched sites. Verify your W3 Total Cache version and update it today to stay safe.
