cbcvebase.
CVE-2025-9501
published 2025-11-17

CVE-2025-9501: The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to…

PriorityP189critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
19.24%
97.0th percentile
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com
ip38.242.204[.]245
ip38.242.237[.]196
ip38.242.245[.]147
ip83.171.249[.]231
ip161.97.129[.]25
ip161.97.135[.]154
ip161.97.163[.]87
ip161.97.186[.]175
ip161.97.187[.]42
ip193.187.129[.]143
ip213.136.80[.]73
urlhxxps://cdn[.]cloudfront-js[.]com:8443/u
path/var/lib/.spm/
filenamebootstrap.sh
filenamemonitor.py
filenamecheck.sh
filename/var/tmp/apt-daily-upgrade
other_RPK = "6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo="
processsys-monitor.service
bytes
<!-- mfunc ... <!-- /mfunc
  • Exploit payload is delivered via HTTP POST to a WordPress post comment endpoint; the malicious comment body contains the W3TC dynamic function markers `<!-- mfunc` and `<!-- /mfunc` wrapping injected PHP code. Detect by inspecting POST request bodies for both strings.
  • The vulnerability is triggered through the `_parse_dynamic_mfunc` function in W3 Total Cache versions prior to 2.8.13. Alert on PHP execution originating from comment-processing code paths in W3TC.
  • PCPJack worm exploits CVE-2025-9501 as one of five CVEs for propagation. Look for the worm's on-disk artifacts: `/var/lib/.spm/` directory, files named `monitor.py`, `_lat.py`, `_cu.py`, `_cr.py`, `_csc.py`, `utils.py`, and the persistence service `sys-monitor.service`.
  • PCPJack exfiltrates credentials to Telegram C2; each encrypted chunk is prepended with a 🔒 emoji after base64 encoding. Monitor outbound Telegram API traffic from server workloads for anomalous credential-shaped payloads.
  • The PCPJack bootstrap script removes itself after execution (`rm -f "$0"`). Detect via process auditing (auditd/eBPF) for shell scripts that self-delete immediately after spawning Python virtual environments.
  • The second PCPJack toolset drops Sliver ELF backdoor binaries named `update.bin`, `update-386.bin`, and `update-arm.bin` to `/var/tmp/apt-daily-upgrade`. Alert on ELF binaries written to `/var/tmp/` with these filenames.
  • PCPJack scans MongoDB on port 27017 as part of lateral movement and external propagation. Unexpected outbound connections to port 27017 from web-tier hosts may indicate active worm propagation.
  • The W3TC secret key (`W3TC Cache Secret`) is specifically targeted by the PCPJack credential extractor (`utils.py`). If this value is found in exfiltrated data or logs, it confirms W3TC exploitation in the environment.
  • ·The Emerging Threats Snort rule (sid:2065928) is marked `confidence Medium` and requires TLS decryption (`deployment SSLDecrypt`, `tls_state TLSDecrypt`) to fire on HTTPS WordPress traffic. Without SSL inspection, the rule will not detect encrypted exploit attempts.
  • ·If the `cryptography` Python library is not installed in the victim environment, PCPJack silently falls back to sending credentials in plaintext, meaning DLP/network monitoring may catch unencrypted exfiltration even without decrypting Telegram traffic.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.