WordPress Plugin Vulnerability - W3 Total Cache

We’ve completed the update process for the affected W3TC plugin on sites that meet the required WordPress and PHP versions.

For sites that did not meet the requirements and the server which is not accessible, we’ve contacted affected customers directly via support cases, as the update could not be applied safely at this time & We recommend that they review their all sites on the server and manually update the W3TC plugin to version 2.8.14 or higher, if it has not already been updated, as exploit details are now publicly available.

Our support team is available. If you have any questions or concerns, please don't hesitate to contact our support team through a ticket in your portal or via live chat.

Our teams are nearing the completion of the W3 Total Cache (W3TC) plugin update rollout across all eligible sites. The majority of sites running vulnerable or outdated versions have already been successfully updated.

We are now finalizing reviews on the remaining sites where updates could not be automatically applied. In these cases, customer involvement may be required (for example, due to outdated PHP or WordPress versions, or access limitations). We will reach out directly to affected customers to review their hosting environment and update the plugin.

We continue to recommend that all customers review their sites and manually update the W3TC plugin to version 2.8.14 or higher, if it has not already been updated, as exploit details are now publicly available.

We’ll share a final update once this process is fully complete.

If you have any questions or concerns, please don't hesitate to contact our support team through a ticket in your portal or via live chat.

As shared in our earlier update, our teams are continuing to roll out the W3 Total Cache (W3TC) plugin update on sites that meet the minimum requirements. We’ve already been able to successfully update many sites running vulnerable or outdated versions, and this work is still in progress across the fleet.

We’re also reviewing the remaining sites to determine where the update can be safely applied. In some cases, factors like outdated PHP/WordPress versions or limited server access may prevent the update from completing. For those situations, we will follow up directly with customers once our review is finished.

We still strongly encourage all customers to review their sites and manually update the W3TC plugin if needed, as details about the exploit have already been made public.

Further updates will be shared as progress continues.

We have successfully applied the W3 Total Cache (W3TC) plugin update to thousands of customer sites where an outdated installation was identified and the environment met the minimum requirements for the upgrade. Our teams are continuing to review the hosting fleet and will apply updates wherever possible.

In most cases, we are able to complete the update for our customers. However, several common blockers have prevented updates on some sites, including:

Outdated PHP versions (older than PHP 7.2.5)

Outdated WordPress installations (earlier than WordPress 5.3)

Restricted or limited server access

Once our update efforts are complete, we will contact customers whose environments contain a vulnerable W3TC installation that we were able to identify but could not be updated automatically, so that they and their teams can take any required remediation steps.

We strongly recommend that all customers review their hosting environments and update the plugin as soon as possible, as a proof-of-concept for the exploit has been publicly released.

Our team is actively involved in updating the W3 Total Cache (W3TC) plugin to the latest version for all sites running W3TC version 2.8.13 or earlier, as part of the ongoing remediation for CVE-2025-9501.

We are closely monitoring all systems throughout this process to ensure the updates are applied successfully and to verify that there is no customer impact.

Further updates will be shared as progress continues.

Our team will be updating the W3 Total Cache (W3TC) plugin on WordPress sites where the installed version is lower than 2.8.13. This update addresses CVE-2025-9501, a critical security vulnerability.

A fixed version is available in W3TC 2.8.13 and later. To ensure the continued security and stability of your sites, our engineering team will apply this update.

We do not anticipate any downtime during this process.

No action is required on your part. Our team will monitor the update closely to ensure your sites remain fully functional. We appreciate your co-operation as we take this proactive step to protect your sites.

For additional details on the Vulnerability, please refer:
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/

If you encounter any issues after the update please contact our support team through a ticket in your portal or via live chat.

We will provide updates on the progress of the patching.