As shared in our earlier update, our teams are continuing to roll out the W3 Total Cache (W3TC) plugin update on sites that meet the minimum requirements. We’ve already been able to successfully update many sites running vulnerable or outdated versions, and this work is still in progress across the fleet.
We’re also reviewing the remaining sites to determine where the update can be safely applied. In some cases, factors like outdated PHP/WordPress versions or limited server access may prevent the update from completing. For those situations, we will follow up directly with customers once our review is finished.
We still strongly encourage all customers to review their sites and manually update the W3TC plugin if needed, as details about the exploit have already been made public.
Further updates will be shared as progress continues.
Posted Dec 10, 2025 - 15:11 EST
Update
We have successfully applied the W3 Total Cache (W3TC) plugin update to thousands of customer sites where an outdated installation was identified and the environment met the minimum requirements for the upgrade. Our teams are continuing to review the hosting fleet and will apply updates wherever possible.
In most cases, we are able to complete the update for our customers. However, several common blockers have prevented updates on some sites, including:
Outdated PHP versions (older than PHP 7.2.5)
Outdated WordPress installations (earlier than WordPress 5.3)
Restricted or limited server access
Once our update efforts are complete, we will contact customers whose environments contain a vulnerable W3TC installation that we were able to identify but could not be updated automatically, so that they and their teams can take any required remediation steps.
We strongly recommend that all customers review their hosting environments and update the plugin as soon as possible, as a proof-of-concept for the exploit has been publicly released.
Posted Dec 02, 2025 - 16:18 EST
Update
Our team is actively involved in updating the W3 Total Cache (W3TC) plugin to the latest version for all sites running W3TC version 2.8.13 or earlier, as part of the ongoing remediation for CVE-2025-9501.
We are closely monitoring all systems throughout this process to ensure the updates are applied successfully and to verify that there is no customer impact.
Further updates will be shared as progress continues.
Posted Nov 21, 2025 - 08:03 EST
Identified
Our team will be updating the W3 Total Cache (W3TC) plugin on WordPress sites where the installed version is lower than 2.8.13. This update addresses CVE-2025-9501, a critical security vulnerability.
A fixed version is available in W3TC 2.8.13 and later. To ensure the continued security and stability of your sites, our engineering team will apply this update.
We do not anticipate any downtime during this process.
No action is required on your part. Our team will monitor the update closely to ensure your sites remain fully functional. We appreciate your co-operation as we take this proactive step to protect your sites.