CVE-2025-13377
Published: 06 December 2025
Summary
CVE-2025-13377 is a critical-severity Path Traversal (CWE-22) vulnerability in 10Web 10Web Booster. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause of CWE-22 path traversal by enforcing input validation on file paths in the get_cache_dir_for_page_from_url() function to prevent arbitrary folder deletion.
Requires timely remediation of the specific flaw in the 10Web Booster plugin via patching to versions beyond 2.32.7, eliminating the vulnerability.
Limits the impact by enforcing least privilege, ensuring subscriber-level users lack permissions for arbitrary folder deletions even if the flawed function is invoked.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary folder deletion on the server, directly facilitating File Deletion (T1070.004) for evasion or cleanup and Data Destruction (T1485) for data loss and DoS impact.
NVD Description
The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This…
more
makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.
Deeper analysisAI
CVE-2025-13377 is a high-severity vulnerability in the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress, affecting all versions up to and including 2.32.7. It stems from insufficient file path validation in the get_cache_dir_for_page_from_url() function, enabling arbitrary folder deletion on the server. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed function, they can delete arbitrary folders, potentially causing significant data loss or denial-of-service conditions across the impacted WordPress site and possibly changing the scope to affect other components due to the high integrity and availability impacts.
Mitigation is addressed in the plugin's patch via WordPress changeset 3402434 at https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer. Additional details on the vulnerability and intelligence are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve. Security practitioners should update to a version beyond 2.32.7 and review access controls for low-privilege users.
Details
- CWE(s)