CVE-2025-13377

CVE-2025-13377 is a high-severity vulnerability in the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress, affecting all versions up to and including 2.32.7. It stems from insufficient file path validation in the get_cache_dir_for_page_from_url() function, enabling arbitrary folder deletion on the server. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed function, they can delete arbitrary folders, potentially causing significant data loss or denial-of-service conditions across the impacted WordPress site and possibly changing the scope to affect other components due to the high integrity and availability impacts.

Mitigation is addressed in the plugin's patch via WordPress changeset 3402434 at https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer. Additional details on the vulnerability and intelligence are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve. Security practitioners should update to a version beyond 2.32.7 and review access controls for low-privilege users.