CVE-2026-12089 - Vulnerability Details

Description

The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.

Published: 2026-06-13

Score: 4.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In WordPress sites running LWS Optimize – All-in-One Speed Booster & Cache Tools up to and including version 3.3.19, the combine_current_css() function accepts stylesheet URLs extracted from page HTML and converts same-site paths to absolute filesystem paths without ensuring those paths remain inside the site’s root or that they end with a .css extension. This oversight allows an attacker who has been granted at least Editor role or higher to read the contents of any file on the server that the web server’s PHP process can reach, leading to a confidentiality compromise. The bug does not directly lead to code execution or privilege escalation, but the exposure of configuration files, core code, or sensitive data that resides on disk can be exploited in further attacks.

Affected Systems

The vulnerability affects the plugin LWS Optimize – All-in-One Speed Booster & Cache Tools (all versions up to and including 3.3.19). Users who have installed any of these versions and rely on the plugin’s CSS aggregation feature are at risk.

Risk and Exploitability

The CVSS score is 4.9, indicating a moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of widespread exploitation is uncertain. The attack vector is authenticated via a WordPress account with Editor privileges or higher. Because the exposed functionality reads files from the server, the impact is limited to confidentiality, but it can enable attackers to gather additional information that may facilitate more advanced attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aurelienlws

LWS Optimize – All-in-One Speed Booster & Cache Tools

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.3.19

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the LWS Optimize plugin to the latest non‑vulnerable version (3.3.20 or later).
Limit users with Editor-level or higher permissions to trusted personnel and regularly review role assignments to reduce the attack surface.
If a patch cannot be applied immediately, disable the combine_current_css feature or restrict it so that only files with a .css extension from the site’s root can be processed.

Generated by OpenCVE AI on June 13, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/lws-optimize/tags/3.3.19/Classes/Front/LwsOptimizeCSSManager.php#L289
https://plugins.trac.wordpress.org/browser/lws-optimize/tags/3.3.19/Classes/Front/LwsOptimizeCSSManager.php#L61
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb80db2-753c-40fa-aee4-7d8c1749d037?source=cve

History

Sat, 13 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
Title		WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read
Weaknesses		CWE-22
References		https://plugins.trac.wordpress.org/browser/lws-optimize/tags/3.3.19/Classes/Front/LwsOptimizeCSSManager.php#L289 https://plugins.trac.wordpress.org/browser/lws-optimize/tags/3.3.19/Classes/Front/LwsOptimizeCSSManager.php#L61 https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb80db2-753c-40fa-aee4-7d8c1749d037?source=cve
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-13T02:29:02.487Z

Updated: 2026-06-13T02:29:02.487Z

Reserved: 2026-06-12T13:57:55.876Z

Link: CVE-2026-12089

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-13T03:16:19.573

Modified: 2026-06-13T03:16:19.573

Link: CVE-2026-12089

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-13T03:30:18Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object