{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13377", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T19:31:43.901Z", "datePublished": "2025-12-06T06:39:09.191Z", "dateUpdated": "2026-04-08T17:34:03.487Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:03.487Z"}, "affected": [{"vendor": "10web", "product": "10Web Booster \u2013 Website speed optimization, Cache & Page Speed optimizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.32.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The 10Web Booster \u2013 Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition."}], "title": "10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-11-20T08:28:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-05T18:28:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:27:01.311606Z", "id": "CVE-2025-13377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:27:13.556Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:27:01.311606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:27:08.604Z"}}], "cna": {"title": "10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.6, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H"}}], "affected": [{"vendor": "10web", "product": "10Web Booster \u2013 Website speed optimization, Cache & Page Speed optimizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.32.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T08:28:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-05T18:28:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer"}], "descriptions": [{"lang": "en", "value": "The 10Web Booster \u2013 Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:03.487Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13377", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:03.487Z", "dateReserved": "2025-11-18T19:31:43.901Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T06:39:09.191Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:10web:10web_booster:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "16DED6D1-1E0B-49BF-AF57-3B556D47D25E", "versionEndExcluding": "2.32.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The 10Web Booster \u2013 Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition."}], "id": "CVE-2025-13377", "lastModified": "2025-12-11T21:45:39.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-06T07:15:46.830", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:59:45.475881+00:00", "value": {"mitigation_remediation": ["Upgrade to 10Web Booster version 2.32.8 or later to remove the flaw", "Restrict or remove unnecessary Subscriber and higher\u2011privilege user accounts", "Configure file system permissions so that only privileged system processes can delete critical directories"], "summary": {"action": "Patch", "impact": "Directory Deletion & Denial of Service"}, "threat_synthesis": {"affected_systems": "WordPress sites running the 10Web Booster \u2013 Website speed optimization, Cache & Page Speed optimizer plugin, with any version up to and including 2.32.7. The vulnerability is present in all versions of the plugin through 2.32.7; newer releases have been fixed.", "description_and_impact": "The 10Web Booster plugin contains a flaw in the get_cache_dir_for_page_from_url() routine that fails to validate file paths correctly. This weakness allows an attacker with authenticated Subscriber-level access or higher to specify an arbitrary path, causing the server to delete any folder for which the user has filesystem rights. The resulting loss of folders can erase website data, break site functionality, or render the site unavailable. The root cause is a path\u2011traversal vulnerability (CWE\u201122).", "risk_and_exploitability": "The container has a CVSS score of 9.6, indicating high severity. The EPSS score of < 1% suggests that exploitation is currently not common, but the vulnerability remains actively exploitable for any authenticated user with Subscriber or higher role. The flaw is not listed in the CISA KEV catalog, so there is no known active exploitation campaign, yet the combination of a high impact and a viable attack path warrants urgent attention. An attacker must first authenticate to the WordPress admin area with a Subscriber or higher role, then trigger the deletion via the two_clear_page_cache function, which can target arbitrary directories on the server."}}}}, "created": "2025-12-08T09:39:38.473216+00:00", "updated": "2026-04-21T01:00:12.996269+00:00", "vendors": ["10web", "10web$PRODUCT$10web_booster", "wordpress", "wordpress$PRODUCT$wordpress"]}