{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8575", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-05T00:23:10.299Z", "datePublished": "2025-09-12T05:24:31.396Z", "dateUpdated": "2026-04-08T17:34:20.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:20.206Z"}, "affected": [{"vendor": "aurelienlws", "product": "LWS Cleaner", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "LWS Cleaner <= 2.4.1.3 - Authenticated (Administrator+) Arbitrary File Deletion via 'lws_cl_delete_file'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lws-cleaner/trunk/lws-cleaner.php#L1144"}, {"url": "https://plugins.trac.wordpress.org/changeset/3359598/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-36 Absolute Path Traversal", "cweId": "CWE-36", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-09-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-12T16:30:29.186525Z", "id": "CVE-2025-8575", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-12T16:30:45.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8575", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-12T16:30:29.186525Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-12T16:30:41.037Z"}}], "cna": {"title": "LWS Cleaner <= 2.4.1.3 - Authenticated (Administrator+) Arbitrary File Deletion via 'lws_cl_delete_file'", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "aurelienlws", "product": "LWS Cleaner", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lws-cleaner/trunk/lws-cleaner.php#L1144"}, {"url": "https://plugins.trac.wordpress.org/changeset/3359598/"}], "descriptions": [{"lang": "en", "value": "The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:20.206Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8575", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:20.206Z", "dateReserved": "2025-08-05T00:23:10.299Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-12T05:24:31.396Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-8575", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-12T06:15:43.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lws-cleaner/trunk/lws-cleaner.php#L1144"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3359598/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-36"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:34:22.274103+00:00", "value": {"mitigation_remediation": ["Upgrade the LWS Cleaner plugin to a version newer than 2.4.1.3 to remove the vulnerability.", "If an upgrade is not immediately possible, disable or uninstall the LWS Cleaner plugin to eliminate the attack surface.", "Enforce least privilege for administrator accounts and regularly audit user roles; restrict or remove unnecessary administrator privileges."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion with potential remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress users running the LWS Cleaner plugin, version 2.4.1.3 or earlier, are affected. The problem is absent only in releases newer than 2.4.1.3.", "description_and_impact": "The LWS Cleaner WordPress plugin contains a flaw in the lws_cl_delete_file function that fails to properly validate file paths. The flaw allows an authenticated user with Administrator-level or higher privileges to delete any file on the server, including critical configuration files such as wp-config.php. Removing such files can lead to immediate compromise of the site or remote code execution, as the attacker can replace them with malicious content. The vulnerability is documented as CWE\u201136, an absolute path traversal weakness.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity when Administrative credentials are compromised. With an EPSS score of 2%, the probability of exploitation is low but non\u2011negligible, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers need authenticated access at the Administrator level; there is no known unauthenticated vector. The risk is concentrated in environments where strong admin privileges are shared or where credentials could be obtained via phishing or credential stuffing."}}}}, "created": "2025-09-15T10:43:59.834974+00:00", "updated": "2026-04-20T19:45:15.504284+00:00", "vendors": ["lws", "lws$PRODUCT$lws_cleaner", "wordpress", "wordpress$PRODUCT$wordpress"]}