Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Network-delivered via WordPress web interface; Editor credentials required (PR:H); full confidentiality loss possible via wp-config.php; no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The LWS Optimize - All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
AnalysisAI
Arbitrary file read in the LWS Optimize WordPress plugin (versions up to and including 3.3.19) permits authenticated users with Editor-level access or above to retrieve any file readable by the web-server process, including sensitive files such as wp-config.php. The vulnerable combine_current_css() function blindly trusts stylesheet href values harvested from page HTML, resolves them to absolute filesystem paths, and passes them to file_get_contents() without enforcing a safe-directory boundary or a .css extension check - a classic CWE-22 path traversal pattern. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack path is straightforward given the source code is publicly accessible in the WordPress plugin repository.
Technical ContextAI
The vulnerability is rooted in the CSS combination and minification feature of the LWS Optimize plugin, implemented in Classes/Front/LwsOptimizeCSSManager.php (lines 61 and 289 in the 3.3.19 release tag). The combine_current_css() function parses page HTML for <link rel='stylesheet' href='...'> tags and converts same-site href values into absolute server filesystem paths before feeding them to file_get_contents() and Minify\CSS::add(). The critical omission is the absence of any validation ensuring the resolved path remains within ABSPATH (the WordPress installation root) or that the file extension is .css. CWE-22 (Path Traversal) describes this root cause class: attacker-influenced input is used in filesystem operations without canonicalization or boundary enforcement, allowing directory traversal sequences to escape the intended directory. The CPE cpe:2.3:a:aurelienlws:lws_optimize_-_all-in-one_speed_booster_&_cache_tools:*:*:*:*:*:*:*:* covers all versions up to and including 3.3.19. Discovery and reporting are attributed to Wordfence.
RemediationAI
No vendor-released patched version is identified in the available data; the input references point exclusively to the vulnerable 3.3.19 codebase with no upstream fix commit or tagged release confirmed. Upstream fix availability should be monitored via the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb80db2-753c-40fa-aee4-7d8c1749d037 and applied immediately upon release. As a primary compensating control, disable the CSS combination/minification feature within the LWS Optimize plugin settings - this eliminates the vulnerable combine_current_css() code path entirely at the cost of losing CSS concatenation and minification optimization, which may have minor performance impact. Additionally, audit and restrict Editor-role assignments to fully trusted users only, reducing the pool of accounts capable of exploitation. Implementing a WAF rule to flag path traversal patterns (e.g., ../ sequences) in CSS-related WordPress plugin requests can serve as a detection layer but should not be relied upon as a sole control given legitimate CSS paths could vary widely.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36635
GHSA-cx9x-fm2c-c65m