Skip to main content

LWS Optimize CVE-2026-12089

| EUVDEUVD-2026-36635 MEDIUM
Path Traversal (CWE-22)
2026-06-13 Wordfence GHSA-cx9x-fm2c-c65m
4.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Network-delivered via WordPress web interface; Editor credentials required (PR:H); full confidentiality loss possible via wp-config.php; no integrity or availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 02:57 vuln.today
CVE Published
Jun 13, 2026 - 02:29 cve.org
MEDIUM 4.9

DescriptionNVD

The LWS Optimize - All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.

AnalysisAI

Arbitrary file read in the LWS Optimize WordPress plugin (versions up to and including 3.3.19) permits authenticated users with Editor-level access or above to retrieve any file readable by the web-server process, including sensitive files such as wp-config.php. The vulnerable combine_current_css() function blindly trusts stylesheet href values harvested from page HTML, resolves them to absolute filesystem paths, and passes them to file_get_contents() without enforcing a safe-directory boundary or a .css extension check - a classic CWE-22 path traversal pattern. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack path is straightforward given the source code is publicly accessible in the WordPress plugin repository.

Technical ContextAI

The vulnerability is rooted in the CSS combination and minification feature of the LWS Optimize plugin, implemented in Classes/Front/LwsOptimizeCSSManager.php (lines 61 and 289 in the 3.3.19 release tag). The combine_current_css() function parses page HTML for <link rel='stylesheet' href='...'> tags and converts same-site href values into absolute server filesystem paths before feeding them to file_get_contents() and Minify\CSS::add(). The critical omission is the absence of any validation ensuring the resolved path remains within ABSPATH (the WordPress installation root) or that the file extension is .css. CWE-22 (Path Traversal) describes this root cause class: attacker-influenced input is used in filesystem operations without canonicalization or boundary enforcement, allowing directory traversal sequences to escape the intended directory. The CPE cpe:2.3:a:aurelienlws:lws_optimize_-_all-in-one_speed_booster_&_cache_tools:*:*:*:*:*:*:*:* covers all versions up to and including 3.3.19. Discovery and reporting are attributed to Wordfence.

RemediationAI

No vendor-released patched version is identified in the available data; the input references point exclusively to the vulnerable 3.3.19 codebase with no upstream fix commit or tagged release confirmed. Upstream fix availability should be monitored via the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb80db2-753c-40fa-aee4-7d8c1749d037 and applied immediately upon release. As a primary compensating control, disable the CSS combination/minification feature within the LWS Optimize plugin settings - this eliminates the vulnerable combine_current_css() code path entirely at the cost of losing CSS concatenation and minification optimization, which may have minor performance impact. Additionally, audit and restrict Editor-role assignments to fully trusted users only, reducing the pool of accounts capable of exploitation. Implementing a WAF rule to flag path traversal patterns (e.g., ../ sequences) in CSS-related WordPress plugin requests can serve as a detection layer but should not be relied upon as a sole control given legitimate CSS paths could vary widely.

Share

CVE-2026-12089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy