10Web Booster < 2.32.11 – Subscriber+ Arbitrary Folder Deletion | CVE 2025-13377 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.

Affects Plugins

tenweb-speed-optimizer

Fixed in 2.32.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

d5df2a79-0ac3-4001-ab0b-cfd12b4ab0bf

Timeline

Publicly Published

2025-12-05 (about 5 months ago)

Added

2025-12-08 (about 5 months ago)

Last Updated

2025-12-08 (about 5 months ago)

Other

Published

Title

Published

2025-06-24

Title

Everest Forms (Pro) < 1.9.5 - Unauthenticated Arbitrary File Deletion via Path Traversal

Published

2024-10-29

Title

Code Explorer <= 1.4.5 - Authenticated (Admin+) External File Reading

Published

2023-10-12

Title

Remote Content Shortcode <= 1.5 - Authenticated(Contributor+) Local File Inclusion via shortcode

Published

2025-01-30

Title

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.8.6 - Limited Arbitrary File Deletion

Published

2025-10-07

Title

Motors – Car Dealership & Classified Listings Plugin < 1.4.90 - Authenticated (Subscriber+) Arbitrary File Deletion