平台
wordpress
组件
tenweb-speed-optimizer
修复版本
2.32.8
CVE-2025-13377 is a critical vulnerability affecting the 10Web Booster WordPress plugin, a website speed optimization tool. This vulnerability allows authenticated attackers to delete arbitrary folders on the server, potentially leading to significant data loss or a denial-of-service condition. The vulnerability impacts versions 0.0.0 through 2.32.7, and a fix is available in version 2.32.11.
The core of the issue lies in insufficient file path validation within the getcachedirforpagefromurl() function. This oversight allows an attacker, possessing even Subscriber-level access or higher within the WordPress site, to craft malicious requests that bypass the intended security checks. By manipulating the URL, an attacker can effectively specify any folder on the server for deletion. The potential impact is severe; complete loss of website data, critical configuration files, or even the entire server file system is possible. This vulnerability presents a significant risk to website integrity and availability.
This vulnerability was publicly disclosed on 2025-12-06. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the potential for significant impact suggest a high likelihood of exploitation attempts. There are currently no public proof-of-concept exploits available, but the vulnerability's simplicity makes it likely that such exploits will emerge. It is not listed on the CISA KEV catalog as of this writing.
WordPress websites utilizing the 10Web Booster plugin, particularly those with a large number of users with Subscriber or higher roles, are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are also particularly vulnerable, as a compromise of one site could potentially impact others.
• wordpress: Use wp-cli to check the installed plugin version:
wp plugin list --status=active | grep 10Web Booster• wordpress: Examine WordPress plugin files for the getcachedirforpagefromurl() function and surrounding code for potential vulnerabilities.
• generic web: Monitor server access logs for unusual file deletion requests targeting cache directories.
• generic web: Check WordPress user roles and permissions to ensure the principle of least privilege is enforced.
disclosure
漏洞利用状态
EPSS
0.08% (24% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the 10Web Booster plugin to version 2.32.11 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider restricting file system permissions for the WordPress user account to minimize the potential damage from a successful attack. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious file path manipulation attempts. Regularly review WordPress user roles and permissions to ensure the principle of least privilege is enforced.
Update to version 2.32.11, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13377 is a critical vulnerability in the 10Web Booster WordPress plugin allowing authenticated attackers to delete server folders, potentially causing data loss or a denial of service.
If you are using 10Web Booster version 0.0.0 through 2.32.7, you are affected by this vulnerability. Upgrade immediately.
Upgrade the 10Web Booster plugin to version 2.32.11 or later to resolve the vulnerability. Consider restricting file system permissions as a temporary workaround.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a high likelihood of future attempts.
Refer to the 10Web Booster website and WordPress plugin repository for the latest security advisories and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。