W3 Total Cache WordPress plugin vulnerable to PHP command injection

WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
GitHub

w3-total-cache-winnie/Extension_Swarmify_Widget_View_NotConfigured.php

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
GitHub

w3-total-cache.php

* Description: The highest rated and most complete WordPress performance plugin. Dramatically improve the speed and user experience of your site. Add browser, page, object and database caching as well ...