A critical command injection vulnerability has been identified in the W3 Total Cache WordPress plugin. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server by simply submitting a specially crafted comment. Successful exploitation could lead to a complete compromise of the affected website, resulting in data theft, service disruption, and further network intrusion.

The vulnerability exists within the _parse_dynamic_mfunc function of the W3 Total Cache plugin. This function fails to properly sanitize user-supplied input when processing comments. An unauthenticated attacker can embed malicious PHP commands within a comment submitted to any post on a vulnerable website. When the plugin processes this comment, the embedded commands are executed on the underlying server with the permissions of the web server process, leading to Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.0, reflecting the ease of exploitation and the potential for severe impact. A successful attack grants the adversary complete control over the web application and potentially the underlying server. This could lead to the theft of sensitive data such as customer information and intellectual property, website defacement, distribution of malware to visitors, and the use of the compromised server in botnet or phishing campaigns. Such an incident can cause significant financial loss, reputational damage, and legal liabilities.

Immediate Action: Immediately update the W3 Total Cache WordPress plugin to version 2.8.13 or the latest available version, which contains a patch for this vulnerability. After updating, review web server and application logs for any signs of exploitation that may have occurred prior to patching.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to the comment submission endpoint (e.g., wp-comments-post.php). Specifically, look for payloads in comment fields containing PHP execution functions such as eval(), system(), passthru(), shell_exec(), or base64_decode. Monitor for unexpected file modifications or the appearance of new, suspicious files (e.g., web shells) in the WordPress installation directory.

Compensating Controls: If immediate patching is not feasible, consider the following temporary measures:

• Deploy a Web Application Firewall (WAF) with rules designed to detect and block command injection attempts in POST requests.
• Temporarily disable the W3 Total Cache plugin until it can be safely updated.
• Disable comments across the entire website to remove the attack vector.

Public Exploit Available: true

Given the critical severity (CVSS 9.0), public availability of an exploit, and the unauthenticated attack vector, immediate remediation is strongly recommended. All organizations using the W3 Total Cache plugin must prioritize updating to a patched version without delay. Although this vulnerability is not currently listed in the CISA KEV catalog, its characteristics make it a prime target for opportunistic and targeted attacks. Systems should be considered compromised if any evidence of exploitation is found during log review.