CVE-2025-13377HIGH 8.1EPSS p37.6%

CVE-2025-13377CVE-2025-13377

Description

The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.6% · 2026-06-18T12:00:27Z
Published2025-12-06
Last modified2025-12-11

Underlying weaknesses· 1

CWE-22

References

  1. https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-12656
CVE
CVE-2026-7252
CVE
CVE-2025-7359
CVE
CVE-2025-10916
CVE
CVE-2025-13322
CVE
CVE-2025-14344
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.