A significant vulnerability has been discovered in the W3 Total Cache (W3TC) WordPress plugin, affecting all versions before 2.8.13. Identified as CVE-2025-9501, this flaw allows attackers to execute PHP commands on the server by submitting comments containing malicious payloads. Given that W3TC is installed on over a million websites, the potential impact is extensive. As of the article's publication, approximately 430,000 downloads of the updated version have occurred, leaving many sites still exposed. The vulnerability lies within the _parse_dynamic_mfunc() function, which processes dynamic function calls in cached content. WPScan highlights that unauthenticated users can exploit this function to gain control over affected WordPress sites. If successfully executed, an attacker could run any command without needing authentication. WPScan plans to release a proof-of-concept (PoC) exploit on November 24, prompting immediate concern over the security of vulnerable websites. Website administrators are advised to upgrade to version 2.8.13 to mitigate the risk. For those unable to update by the PoC release date, it's recommended to deactivate the W3 Total Cache plugin or implement measures to prevent comment-based attacks. The urgency of the situation stems from the likelihood of rapid exploitation following the release of the PoC, making immediate action essential for site security.