W3 Total Cache < 2.8.13 – Unauthenticated Command Injection | CVE 2025-9501

Description

The plugin is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

Proof of Concept

Payload:

html
<!-- mfunc xxxxxx -->$message = 1337;<!-- /mfunc xxxxxx -->

1. Install the plugin.

2. In the wp-config.php file, add the constant: define('W3TC_DYNAMIC_SECURITY', 'xxxxxx');

Note: The value of `W3TC_DYNAMIC_SECURITY` can be identified if an `mfunc` comment has already been used previously, simply by inspecting the HTML generated for a page/post, querying the REST endpoints `/wp-json/wp/v2/posts` or `/wp-json/wp/v2/pages`, or in some cases, via usage errors.

3. Access any post in anonymous mode and submit a comment containing the payload above.

4. Observe that the PHP code `$message = 1337;` was executed.