Urgent Security Alert: Critical Arbitrary Folder Deletion Vulnerability in 10Web Booster Plugin (CVE-2025-13377)

by

Published: 2025-12-06

Overview

A critical vulnerability, identified as CVE-2025-13377, has been discovered in the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (or higher) to delete arbitrary folders on the server. This can lead to significant data loss and a denial-of-service condition for affected websites.

Technical Details

The vulnerability resides within the get_cache_dir_for_page_from_url() function. The plugin lacks sufficient file path validation when processing URLs. An attacker can manipulate the input provided to this function to construct a malicious file path, leading to the deletion of unintended directories. This impacts all versions of the 10Web Booster plugin up to, and including, version 2.32.7.

CVSS Analysis

  • CVE ID: CVE-2025-13377
  • Severity: CRITICAL
  • CVSS Score: 9.6

A CVSS score of 9.6 indicates a critical severity level. This means the vulnerability is easily exploitable and has a high potential impact on confidentiality, integrity, and availability.

Possible Impact

Successful exploitation of this vulnerability can have severe consequences:

  • Data Loss: Attackers can delete critical website files and directories, leading to significant data loss.
  • Denial of Service (DoS): Deleting essential system files can render the website inaccessible, causing a denial-of-service condition.
  • Website Defacement: While direct defacement isn’t the primary impact, deleting theme files or crucial plugins could lead to a severely broken website that resembles defacement.
  • Potential for Lateral Movement: In some server configurations, successful exploitation could potentially lead to lateral movement to other parts of the server.

Mitigation and Patch Steps

The recommended mitigation is to immediately update the 10Web Booster plugin to the latest available version. The vulnerability is addressed in versions greater than 2.32.7.

To update the plugin:

  1. Log in to your WordPress dashboard.
  2. Navigate to “Plugins” -> “Installed Plugins.”
  3. Locate the “10Web Booster” plugin.
  4. Click the “Update Now” button. If the update isn’t visible, try clearing your WordPress cache and checking again.

If you are unable to update the plugin immediately, consider temporarily disabling the plugin until you can apply the patch.

References

Leave a Comment