Arbitrary Folder Deletion Vulnerability in 10Web Booster Plugin for WordPress
CVE-2025-13377

9.6CRITICAL

Key Information:

Vendor: WordPress
Status: 10web Booster – Website Speed Optimization, Cache & Page Speed Optimizer
Vendor: CVE Published:; 6 December 2025

What is CVE-2025-13377?

The 10Web Booster plugin for WordPress is affected by a vulnerability allowing authenticated users with Subscriber-level access or higher to delete arbitrary folders on the server. This issue arises from inadequate file path validation in the get_cache_dir_for_page_from_url() function, leading to potential data loss or denial of service. Website administrators should ensure they are using the latest version of the plugin to mitigate risks.

Affected Version(s)

10Web Booster – Website speed optimization, Cache & Page Speed optimizer * <= 2.32.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3402434/tenw...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2025
Vulnerability Reserved
Nov 18, 2025

Credit

Angus Girvan

JSON