The vulnerability CVE-2025-13377 affects the 10Web Booster plugin for WordPress, a popular tool for website speed optimization and caching. The root cause is improper limitation of a pathname to a restricted directory (CWE-22), specifically in the get_cache_dir_for_page_from_url() function. This function fails to adequately validate or sanitize file paths, allowing an authenticated attacker with as low as Subscriber-level privileges to craft requests that traverse directories and delete arbitrary folders on the server. This can lead to deletion of critical website files or cache directories, causing data loss or denial of service conditions. The vulnerability affects all plugin versions up to 2.32.7, and no user interaction is required beyond authentication. The CVSS 3.1 base score is 9.6, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and a scope change with high impact on integrity and availability. Although no exploits are publicly known, the ease of exploitation and potential damage make this a critical threat. The vulnerability is particularly dangerous because it allows attackers to escalate damage from a low-privilege account, which is common on WordPress sites where many users have Subscriber roles. The lack of a patch at the time of publication means organizations must implement interim mitigations to protect their environments.

For European organizations, this vulnerability poses a significant risk to website availability and data integrity. Many businesses, including e-commerce, media, and service providers, rely on WordPress and plugins like 10Web Booster to optimize site performance. Exploitation could result in deletion of cache or other critical folders, leading to website downtime, loss of customer trust, and potential revenue loss. Since the attack requires only Subscriber-level access, attackers could leverage compromised or malicious user accounts to cause damage without needing administrative credentials. This increases the attack surface, especially for organizations with large user bases or weak user management policies. Additionally, denial of service caused by folder deletion could disrupt business operations and impact compliance with data availability requirements under regulations like GDPR. The integrity impact may also affect content accuracy and reliability, further damaging organizational reputation.

Organizations should immediately audit their WordPress installations to identify the presence of the 10Web Booster plugin and its version. Until an official patch is released, restrict Subscriber-level user capabilities to minimize the risk of exploitation, such as disabling file management or deletion permissions. Implement Web Application Firewall (WAF) rules to detect and block suspicious path traversal patterns targeting the vulnerable function. Monitor logs for unusual deletion activities or access patterns related to cache directories. Employ strict file system permissions to prevent the web server user from deleting critical directories outside intended cache folders. Regularly back up website data and cache directories to enable rapid restoration in case of an attack. Once a patch is available, prioritize immediate update of the plugin. Additionally, consider isolating WordPress instances or running them in containerized environments to limit the blast radius of potential exploits.