Cyber Resilience

CVE-2025-13377

Critical

Published: 06 December 2025

Published
06 December 2025
Modified
11 December 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0009 24.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13377 is a critical-severity Path Traversal (CWE-22) vulnerability in 10Web 10Web Booster. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-13377 is a high-severity vulnerability in the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress, affecting all versions up to and including 2.32.7. It stems from insufficient file path validation in the get_cache_dir_for_page_from_url() function, enabling arbitrary folder deletion on the server. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed function, they can delete arbitrary folders, potentially causing significant data loss or denial-of-service conditions across the impacted WordPress site and possibly changing the scope to affect other components due to the high integrity and availability impacts.

Mitigation is addressed in the plugin's patch via WordPress changeset 3402434 at https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer. Additional details on the vulnerability and intelligence are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve. Security practitioners should update to a version beyond 2.32.7 and review access controls for low-privilege users.

EU & UK References

Vulnerability details

The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This…

more

makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

The vulnerability enables arbitrary folder deletion on the server, directly facilitating File Deletion (T1070.004) for evasion or cleanup and Data Destruction (T1485) for data loss and DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68862Shared CWE-22
CVE-2025-15589Shared CWE-22
CVE-2026-27040Shared CWE-22
CVE-2024-13897Shared CWE-22
CVE-2026-24135Shared CWE-22
CVE-2026-24969Shared CWE-22
CVE-2024-13910Shared CWE-22
CVE-2025-68907Shared CWE-22
CVE-2025-5391Shared CWE-22
CVE-2025-65879Shared CWE-22

Affected Assets

10web
10web booster
≤ 2.32.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of CWE-22 path traversal by enforcing input validation on file paths in the get_cache_dir_for_page_from_url() function to prevent arbitrary folder deletion.

prevent

Requires timely remediation of the specific flaw in the 10Web Booster plugin via patching to versions beyond 2.32.7, eliminating the vulnerability.

prevent

Limits the impact by enforcing least privilege, ensuring subscriber-level users lack permissions for arbitrary folder deletions even if the flawed function is invoked.

References