WordPress Plugin Vulnerability - W3 Total Cache

Incident Report for Server Status | Nexcess

Update

Our team is actively involved in updating the W3 Total Cache (W3TC) plugin to the latest version for all sites running W3TC version 2.8.13 or earlier, as part of the ongoing remediation for CVE-2025-9501.

We are closely monitoring all systems throughout this process to ensure the updates are applied successfully and to verify that there is no customer impact.

Further updates will be shared as progress continues.
Posted Nov 21, 2025 - 08:03 EST

Identified

Our team will be updating the W3 Total Cache (W3TC) plugin on WordPress sites where the installed version is lower than 2.8.13. This update addresses CVE-2025-9501, a critical security vulnerability.

A fixed version is available in W3TC 2.8.13 and later. To ensure the continued security and stability of your sites, our engineering team will apply this update.

We do not anticipate any downtime during this process.

No action is required on your part. Our team will monitor the update closely to ensure your sites remain fully functional. We appreciate your co-operation as we take this proactive step to protect your sites.

For additional details on the Vulnerability, please refer:
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/

If you encounter any issues after the update please contact our support team through a ticket in your portal or via live chat.

We will provide updates on the progress of the patching.
Posted Nov 20, 2025 - 14:52 EST
This incident affects: Managed Wordpress (Wordpress Core Updates).
Current Status Powered by Atlassian Statuspage