WordPress Plugin Vulnerabilities
Description
The plugin is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
Proof of Concept
| The PoC will be displayed on November 24, 2025, to give users the time to update. |
Affects Plugins
| w3-total-cache | Fixed in 2.8.13 |