Discovered in W3 Total Cache, the critical command injection vulnerability has a CVSS score of 9.0. It allows attackers to exploit the flaw in the _parse_dynamic_mfunc function by submitting malicious payloads via WordPress comments, posing a threat of complete server compromise including data theft and malware installation.
The vulnerability requires no authentication, making it particularly dangerous for unpatched installations, which could suffer Remote Code Execution (RCE) attacks. The public disclosure on October 27, 2025, emphasizes the need for immediate remediation. The development team has released a patch in version 2.8.13, and WordPress administrators are urged to update immediately to mitigate risk.
👉 Pročitaj original: Cyber Security News
