Critical severity9.0NVD Advisory· Published Nov 17, 2025· Updated Apr 15, 2026
CVE-2025-9501
CVE-2025-9501
Description
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: < 2.8.13
Patches
Vulnerability mechanics
References
1News mentions
4- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals CredentialsSecurityWeek · May 8, 2026
- New PCPJack worm steals credentials, cleans TeamPCP infectionsBleepingComputer · May 7, 2026
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud SystemsThe Hacker News · May 7, 2026
- Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential HarvestingTheDFIRReport · Apr 22, 2026