Description
The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.
Published: 2025-12-06
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Directory Deletion & Denial of Service
Action: Patch
AI Analysis

Impact

The 10Web Booster plugin contains a flaw in the get_cache_dir_for_page_from_url() routine that fails to validate file paths correctly. This weakness allows an attacker with authenticated Subscriber-level access or higher to specify an arbitrary path, causing the server to delete any folder for which the user has filesystem rights. The resulting loss of folders can erase website data, break site functionality, or render the site unavailable. The root cause is a path‑traversal vulnerability (CWE‑22).

Affected Systems

WordPress sites running the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin, with any version up to and including 2.32.7. The vulnerability is present in all versions of the plugin through 2.32.7; newer releases have been fixed.

Risk and Exploitability

The container has a CVSS score of 9.6, indicating high severity. The EPSS score of < 1% suggests that exploitation is currently not common, but the vulnerability remains actively exploitable for any authenticated user with Subscriber or higher role. The flaw is not listed in the CISA KEV catalog, so there is no known active exploitation campaign, yet the combination of a high impact and a viable attack path warrants urgent attention. An attacker must first authenticate to the WordPress admin area with a Subscriber or higher role, then trigger the deletion via the two_clear_page_cache function, which can target arbitrary directories on the server.

Generated by OpenCVE AI on April 21, 2026 at 00:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to 10Web Booster version 2.32.8 or later to remove the flaw
  • Restrict or remove unnecessary Subscriber and higher‑privilege user accounts
  • Configure file system permissions so that only privileged system processes can delete critical directories

Generated by OpenCVE AI on April 21, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Dec 2025 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:10web:10web_booster:*:*:*:*:*:wordpress:*:*

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web 10web Booster
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web 10web Booster
Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:45:00 +0000

Type Values Removed Values Added
Description The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.
Title 10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

10web 10web Booster
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:03.487Z

Reserved: 2025-11-18T19:31:43.901Z

Link: CVE-2025-13377

cve-icon Vulnrichment

Updated: 2025-12-08T21:27:08.604Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-06T07:15:46.830

Modified: 2025-12-11T21:45:39.327

Link: CVE-2025-13377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses