VYPR
Critical severity9.0NVD Advisory· Published Nov 17, 2025· Updated Apr 15, 2026

CVE-2025-9501

CVE-2025-9501

Description

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

4