WordPress Plugin Vulnerabilities

LWS Cleaner < 2.4.2 - Admin+ Arbitrary File Deletion

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
lws-cleaner
Fixed in 2.4.2

References

CVE
CVE-2025-8575
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
c4091db3-6ba1-450b-a239-f3fa0a4de139

Timeline

Publicly Published
2025-09-11 (about 9 months ago)
Added
2025-09-11 (about 9 months ago)
Last Updated
2025-09-11 (about 9 months ago)

Other

Published
Title
Published
2025-10-31
Title
Import WP – Export and Import CSV and XML files to WordPress < 2.14.17 - Authenticated (Admin+) Arbitrary File Read
Published
2025-12-01
Title
Cost Calculator Builder < 3.6.4 - Unauthenticated Arbitrary File Deletion
Published
2026-05-13
Title
Motors – Car Dealer, Classifieds & Listing < 1.4.108 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter
Published
2020-10-07
Title
HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion
Published
2025-02-28
Title
Simple Download Counter < 2.1 - Authenticated (Author+) Arbitrary File Read