Search criteria
4 vulnerabilities found for 10web_booster by 10web
CVE-2025-13377 (GCVE-0-2025-13377)
Vulnerability from nvd – Published: 2025-12-06 06:39 – Updated: 2025-12-08 21:27
VLAI?
Title
10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache
Summary
The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.
Severity ?
9.6 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| 10web | 10Web Booster – Website speed optimization, Cache & Page Speed optimizer |
Affected:
* , ≤ 2.32.7
(semver)
|
Credits
Angus Girvan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T21:27:01.311606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T21:27:13.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "10Web Booster \u2013 Website speed optimization, Cache \u0026 Page Speed optimizer",
"vendor": "10web",
"versions": [
{
"lessThanOrEqual": "2.32.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 10Web Booster \u2013 Website speed optimization, Cache \u0026 Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T06:39:09.191Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-20T08:28:37.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-05T18:28:50.000+00:00",
"value": "Disclosed"
}
],
"title": "10Web Booster \u003c= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13377",
"datePublished": "2025-12-06T06:39:09.191Z",
"dateReserved": "2025-11-18T19:31:43.901Z",
"dateUpdated": "2025-12-08T21:27:13.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5559 (GCVE-0-2023-5559)
Vulnerability from nvd – Published: 2023-11-27 16:22 – Updated: 2024-08-02 07:59
VLAI?
Title
10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
Summary
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | 10Web Booster |
Affected:
0 , < 2.24.18
(semver)
|
Credits
Krzysztof Zając
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/eba46f7d-e4db-400c-8032-015f21087bbf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "10Web Booster",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.24.18",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T16:22:06.218Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/eba46f7d-e4db-400c-8032-015f21087bbf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "10Web Booster \u003c 2.24.18 - Unauthenticated Arbitrary Option Deletion",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-5559",
"datePublished": "2023-11-27T16:22:06.218Z",
"dateReserved": "2023-10-12T14:55:58.100Z",
"dateUpdated": "2024-08-02T07:59:44.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13377 (GCVE-0-2025-13377)
Vulnerability from cvelistv5 – Published: 2025-12-06 06:39 – Updated: 2025-12-08 21:27
VLAI?
Title
10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache
Summary
The 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.
Severity ?
9.6 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| 10web | 10Web Booster – Website speed optimization, Cache & Page Speed optimizer |
Affected:
* , ≤ 2.32.7
(semver)
|
Credits
Angus Girvan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T21:27:01.311606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T21:27:13.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "10Web Booster \u2013 Website speed optimization, Cache \u0026 Page Speed optimizer",
"vendor": "10web",
"versions": [
{
"lessThanOrEqual": "2.32.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 10Web Booster \u2013 Website speed optimization, Cache \u0026 Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T06:39:09.191Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-20T08:28:37.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-05T18:28:50.000+00:00",
"value": "Disclosed"
}
],
"title": "10Web Booster \u003c= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13377",
"datePublished": "2025-12-06T06:39:09.191Z",
"dateReserved": "2025-11-18T19:31:43.901Z",
"dateUpdated": "2025-12-08T21:27:13.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5559 (GCVE-0-2023-5559)
Vulnerability from cvelistv5 – Published: 2023-11-27 16:22 – Updated: 2024-08-02 07:59
VLAI?
Title
10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
Summary
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | 10Web Booster |
Affected:
0 , < 2.24.18
(semver)
|
Credits
Krzysztof Zając
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/eba46f7d-e4db-400c-8032-015f21087bbf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "10Web Booster",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.24.18",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T16:22:06.218Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/eba46f7d-e4db-400c-8032-015f21087bbf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "10Web Booster \u003c 2.24.18 - Unauthenticated Arbitrary Option Deletion",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-5559",
"datePublished": "2023-11-27T16:22:06.218Z",
"dateReserved": "2023-10-12T14:55:58.100Z",
"dateUpdated": "2024-08-02T07:59:44.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}