If your WordPress website uses the popular W3 Total Cache (W3TC) plugin—installed on over a million sites for better performance—you need to take immediate action.
A severe, critical security flaw has been found that allows hackers to easily take full control of your site.
The Immediate Threat: Unauthenticated Command Injection
-
The Problem: An attacker doesn’t need a password or login. They can simply post a specially crafted comment on your site to exploit the flaw.
-
The Outcome: This allows the attacker to execute malicious PHP commands directly on your server, giving them the ability to run any command, ultimately leading to a complete compromise of your entire website.
What You Need To Do Right Now
The vulnerability, tracked as CVE-2025-9501, affects all versions of W3 Total Cache older than 2.8.13.
The most important step you can take is to upgrade your plugin immediately:
Action: Update your W3 Total Cache plugin to version 2.8.13 or newer. This patched version was released on October 20.
The Urgency is Real
Despite the patch being available, hundreds of thousands of websites may still be running vulnerable versions. Security experts have already developed a Proof-of-Concept (PoC) exploit and plan to release it publicly on November 24.
Once this exploit code is public, mass attacks usually begin almost instantly. You must update before November 24 to protect your site.
What if I can’t upgrade immediately?
If you absolutely cannot perform the update before the deadline, you must temporarily:
-
Deactivate the W3 Total Cache plugin entirely, or
-
Take steps to ensure comments cannot be posted on your site until the update is complete.
Don’t wait. Check your WordPress plugins now and protect your business.
Need Help Securing Your Site?
Security vulnerabilities like this highlight the critical need for proactive website maintenance and rapid response. If you’re running a business on WordPress, keeping your software patched isn’t optional—it’s essential for protecting your data and your customers.
Unsure how to update, or worried about the security of your other plugins?
Our team specialises in fast, reliable WordPress security and maintenance. We can quickly check your entire site, confirm that you are running the patched version of W3 Total Cache, and ensure your site is hardened against future threats.
Don’t leave your website vulnerable to attack. Contact Finlay today to ensure your WordPress installation is secure and compliant.
