Description
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
Published: 2026-06-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In WordPress sites running LWS Optimize – All-in-One Speed Booster & Cache Tools up to and including version 3.3.19, the combine_current_css() function accepts stylesheet URLs extracted from page HTML and converts same-site paths to absolute filesystem paths without ensuring those paths remain inside the site’s root or that they end with a .css extension. This oversight allows an attacker who has been granted at least Editor role or higher to read the contents of any file on the server that the web server’s PHP process can reach, leading to a confidentiality compromise. The bug does not directly lead to code execution or privilege escalation, but the exposure of configuration files, core code, or sensitive data that resides on disk can be exploited in further attacks.

Affected Systems

The vulnerability affects the plugin LWS Optimize – All-in-One Speed Booster & Cache Tools (all versions up to and including 3.3.19). Users who have installed any of these versions and rely on the plugin’s CSS aggregation feature are at risk.

Risk and Exploitability

The CVSS score is 4.9, indicating a moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of widespread exploitation is uncertain. The attack vector is authenticated via a WordPress account with Editor privileges or higher. Because the exposed functionality reads files from the server, the impact is limited to confidentiality, but it can enable attackers to gather additional information that may facilitate more advanced attacks.

Generated by OpenCVE AI on June 13, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LWS Optimize plugin to the latest non‑vulnerable version (3.3.20 or later).
  • Limit users with Editor-level or higher permissions to trusted personnel and regularly review role assignments to reduce the attack surface.
  • If a patch cannot be applied immediately, disable the combine_current_css feature or restrict it so that only files with a .css extension from the site’s root can be processed.

Generated by OpenCVE AI on June 13, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Aurelienlws
Aurelienlws lws Optimize – All-in-one Speed Booster & Cache Tools
Wordpress
Wordpress wordpress
Vendors & Products Aurelienlws
Aurelienlws lws Optimize – All-in-one Speed Booster & Cache Tools
Wordpress
Wordpress wordpress

Sat, 13 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Description The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
Title WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Aurelienlws Lws Optimize – All-in-one Speed Booster & Cache Tools
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-15T12:57:04.691Z

Reserved: 2026-06-12T13:57:55.876Z

Link: CVE-2026-12089

cve-icon Vulnrichment

Updated: 2026-06-15T12:56:56.729Z

cve-icon NVD

Status : Deferred

Published: 2026-06-13T03:16:19.573

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-12089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:29:10Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')