CVE-2025-8575 Overview
The LWS Cleaner plugin for WordPress contains an arbitrary file deletion vulnerability in the lws_cl_delete_file function. All versions up to and including 2.4.1.3 fail to properly validate file paths before deletion. Authenticated attackers with Administrator-level access or above can delete arbitrary files on the underlying server. Deleting critical files such as wp-config.php can trigger WordPress reinstallation flows and lead to remote code execution. The flaw is classified under [CWE-36: Absolute Path Traversal].
Critical Impact
Authenticated administrators can delete arbitrary server files, including wp-config.php, enabling site takeover and remote code execution.
Affected Products
- LWS Cleaner WordPress Plugin versions ≤ 2.4.1.3
- WordPress installations with the LWS Cleaner plugin active
- Shared hosting environments running vulnerable LWS Cleaner deployments
Discovery Timeline
- 2025-09-12 - CVE-2025-8575 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8575
Vulnerability Analysis
The vulnerability resides in the lws_cl_delete_file function within lws-cleaner.php. The function accepts a file path parameter from an authenticated request and passes it to a deletion routine without sufficient validation or canonicalization. Because the supplied path is not constrained to the plugin's working directory, attackers can supply absolute paths or traversal sequences that resolve to files outside the intended scope.
An administrator-level attacker can invoke the vulnerable handler to remove files such as wp-config.php. When WordPress detects a missing configuration file, it returns to the installation flow, allowing the attacker to point the site at an attacker-controlled database and seize administrative control. This pivot turns file deletion into full remote code execution on the host.
Root Cause
The root cause is missing input validation on file path parameters. The lws_cl_delete_file function does not enforce a directory whitelist, does not call a canonicalization routine such as realpath() against an allowed base path, and does not strip traversal characters. The flaw maps to [CWE-36], where attacker-supplied absolute paths are accepted by file operations.
Attack Vector
Exploitation requires authenticated access at the Administrator role or higher and network access to the WordPress admin interface. The attacker submits a crafted request to the plugin endpoint that triggers lws_cl_delete_file with a target path outside the plugin scope. No user interaction is required beyond the attacker's authenticated session.
No verified public proof-of-concept code is available. Refer to the WordPress Plugin Code Review and the Wordfence Vulnerability Analysis for technical details on the vulnerable code path.
Detection Methods for CVE-2025-8575
Indicators of Compromise
- Missing or recently deleted wp-config.php, .htaccess, or core WordPress files on hosts running LWS Cleaner.
- WordPress installation prompt appearing unexpectedly on a previously configured site.
- Web server access logs showing POST requests to LWS Cleaner admin-ajax endpoints invoking lws_cl_delete_file.
- New or modified administrator accounts created shortly after suspicious file deletion events.
Detection Strategies
- Audit installed WordPress plugins for lws-cleaner versions ≤ 2.4.1.3 across all managed sites.
- Monitor file integrity for critical WordPress files including wp-config.php, index.php, and files in wp-includes/.
- Inspect web server and PHP logs for AJAX calls referencing lws_cl_delete_file with absolute paths or ../ sequences.
Monitoring Recommendations
- Enable file integrity monitoring on the WordPress document root with alerting on deletion events.
- Forward web server access logs to a centralized SIEM and alert on requests to admin-ajax.php containing lws_cl_delete_file.
- Track WordPress administrator session activity and correlate file changes with the originating user.
How to Mitigate CVE-2025-8575
Immediate Actions Required
- Update the LWS Cleaner plugin to a version newer than 2.4.1.3 immediately.
- Audit administrator accounts and revoke unused or stale privileged users.
- Verify the integrity of wp-config.php and other core WordPress files against known-good backups.
- Rotate database credentials and WordPress secret keys if administrator compromise is suspected.
Patch Information
The vendor addressed the issue in a plugin update tracked in WordPress Plugin Changeset Update. Site operators should upgrade to the patched release through the WordPress admin dashboard or by replacing the plugin directory with the fixed version.
Workarounds
- Deactivate and remove the LWS Cleaner plugin until the patched version is deployed.
- Restrict administrator role assignment to a minimal set of trusted users and enforce multi-factor authentication.
- Apply web application firewall rules that block requests to admin-ajax.php containing the lws_cl_delete_file action with path traversal sequences.
- Set restrictive filesystem permissions so the PHP process cannot delete files outside wp-content/.
# Example WAF rule (ModSecurity) to block traversal in the vulnerable action
SecRule ARGS:action "@streq lws_cl_delete_file" \
"id:1008575,phase:2,deny,status:403,\
chain,msg:'Block LWS Cleaner arbitrary file deletion (CVE-2025-8575)'"
SecRule ARGS "@rx (\.\./|^/)" "t:none,t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

