Description
The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-09-12
Score: 7.2 High
EPSS: 1.5% Low
KEV: No
Impact: Arbitrary file deletion with potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The LWS Cleaner WordPress plugin contains a flaw in the lws_cl_delete_file function that fails to properly validate file paths. The flaw allows an authenticated user with Administrator-level or higher privileges to delete any file on the server, including critical configuration files such as wp-config.php. Removing such files can lead to immediate compromise of the site or remote code execution, as the attacker can replace them with malicious content. The vulnerability is documented as CWE‑36, an absolute path traversal weakness.

Affected Systems

WordPress users running the LWS Cleaner plugin, version 2.4.1.3 or earlier, are affected. The problem is absent only in releases newer than 2.4.1.3.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity when Administrative credentials are compromised. With an EPSS score of 2%, the probability of exploitation is low but non‑negligible, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers need authenticated access at the Administrator level; there is no known unauthenticated vector. The risk is concentrated in environments where strong admin privileges are shared or where credentials could be obtained via phishing or credential stuffing.

Generated by OpenCVE AI on April 20, 2026 at 19:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LWS Cleaner plugin to a version newer than 2.4.1.3 to remove the vulnerability.
  • If an upgrade is not immediately possible, disable or uninstall the LWS Cleaner plugin to eliminate the attack surface.
  • Enforce least privilege for administrator accounts and regularly audit user roles; restrict or remove unnecessary administrator privileges.

Generated by OpenCVE AI on April 20, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29027 The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Mon, 15 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Lws
Lws lws Cleaner
Wordpress
Wordpress wordpress
Vendors & Products Lws
Lws lws Cleaner
Wordpress
Wordpress wordpress

Fri, 12 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Sep 2025 05:30:00 +0000

Type Values Removed Values Added
Description The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title LWS Cleaner <= 2.4.1.3 - Authenticated (Administrator+) Arbitrary File Deletion via 'lws_cl_delete_file'
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Lws Lws Cleaner
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:20.206Z

Reserved: 2025-08-05T00:23:10.299Z

Link: CVE-2025-8575

cve-icon Vulnrichment

Updated: 2025-09-12T16:30:41.037Z

cve-icon NVD

Status : Deferred

Published: 2025-09-12T06:15:43.810

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses