CVE-2025-13377 Overview
CVE-2025-13377 is an arbitrary folder deletion vulnerability in the 10Web Booster WordPress plugin, also known as the Website speed optimization, Cache & Page Speed optimizer. The flaw resides in the get_cache_dir_for_page_from_url() function, which fails to properly validate file paths before performing deletion operations. The vulnerability affects all plugin versions up to and including 2.32.7. Authenticated users with Subscriber-level access or higher can exploit the issue to delete arbitrary folders on the server. Successful exploitation can result in data loss or a denial-of-service condition affecting the WordPress installation. The vulnerability is tracked under [CWE-22] (Path Traversal).
Critical Impact
Authenticated attackers with low-privilege Subscriber accounts can remove arbitrary directories on the WordPress server, leading to data loss and site outages.
Affected Products
- 10Web Booster – Website speed optimization, Cache & Page Speed optimizer (WordPress plugin)
- All versions up to and including 2.32.7
- WordPress sites permitting Subscriber-level registrations
Discovery Timeline
- 2025-12-06 - CVE-2025-13377 published to the National Vulnerability Database (NVD)
- 2025-12-11 - Last updated in the NVD database
Technical Details for CVE-2025-13377
Vulnerability Analysis
The vulnerability stems from insufficient file path validation in the get_cache_dir_for_page_from_url() function within the 10Web Booster plugin. The function is intended to resolve a cache directory associated with a given page URL, but it does not enforce that the resolved path stays within the plugin's designated cache directory. Attacker-controlled input is incorporated into a filesystem path that is later passed to a directory deletion routine. Because the plugin exposes the affected functionality to any authenticated user, the privilege requirement is minimal on sites that allow open registration or accept Subscriber accounts.
Root Cause
The root cause is a path traversal weakness [CWE-22]. The get_cache_dir_for_page_from_url() function trusts URL-derived input when constructing a filesystem path and does not canonicalize or constrain that path to the plugin's cache root. Traversal sequences such as ../ allow the resulting path to point to arbitrary directories on the server. Consumers of this function then operate on the returned path without re-validating its location, enabling deletion outside the intended scope.
Attack Vector
Exploitation requires network access to the WordPress site and an authenticated session at Subscriber level or higher. The attacker submits a crafted request to the plugin endpoint that ultimately invokes the vulnerable function with a manipulated URL value. Once the function returns a path outside the cache directory, the plugin removes the targeted folder. Removing directories such as wp-content/uploads, theme directories, or other plugin folders can disrupt site availability and destroy site data. No user interaction beyond the attacker's own authenticated request is required.
No public proof-of-concept exploit has been released, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-13377
Indicators of Compromise
- Unexpected deletion of directories under wp-content/, including upload, theme, or plugin folders
- WordPress error logs showing missing files or broken plugin or theme references after Subscriber activity
- Authenticated HTTP POST requests to 10Web Booster (tenweb-speed-optimizer) endpoints containing URL parameters with ../ traversal sequences
- New low-privilege user registrations followed by AJAX or REST calls to plugin actions
Detection Strategies
- Monitor web server access logs for requests to 10Web Booster admin-ajax or REST endpoints originating from Subscriber accounts.
- Alert on URL parameters containing path traversal patterns such as ..%2f, ../, or encoded variants directed at the plugin.
- Audit filesystem change events for rmdir or recursive delete operations performed by the PHP-FPM or web server process outside the plugin's cache directory.
Monitoring Recommendations
- Enable WordPress audit logging to capture user role changes and plugin action invocations by low-privilege accounts.
- Track integrity of wp-content/ directories using file integrity monitoring to catch unauthorized folder removals.
- Review newly created Subscriber accounts and correlate session activity with plugin endpoint requests.
How to Mitigate CVE-2025-13377
Immediate Actions Required
- Update the 10Web Booster plugin to the version released after changeset 3402434, which addresses the path validation flaw.
- Disable open user registration or temporarily restrict Subscriber-level account creation until patching is complete.
- Review existing low-privilege accounts and remove any that are unrecognized or inactive.
- Back up the WordPress site, including wp-content/, before applying updates or performing recovery.
Patch Information
The vendor addressed the issue in the 10Web Booster plugin commit referenced by WordPress Plugin Change Log. Site administrators should upgrade to the fixed release available on the WordPress.org plugin repository. Additional technical context is published in the Wordfence Vulnerability Report.
Workarounds
- Deactivate the 10Web Booster plugin until the patched version is installed.
- Restrict access to plugin AJAX and REST endpoints at the web application firewall, blocking requests containing path traversal sequences.
- Set the WordPress users_can_register option to false to prevent new untrusted account creation during remediation.
# Configuration example: disable open registration via WP-CLI
wp option update users_can_register 0
# Audit Subscriber accounts created recently
wp user list --role=subscriber --fields=ID,user_login,user_registered
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
