CVE-2025-13377 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the 10Web Booster plugin for WordPress, a tool designed to optimize website speed and caching. The vulnerability arises from inadequate validation of file paths in the get_cache_dir_for_page_from_url() function, which is responsible for determining cache directories based on URLs. This flaw allows authenticated attackers with as low as Subscriber-level privileges to craft malicious requests that manipulate the file path, enabling deletion of arbitrary folders on the server hosting the WordPress site. Since the plugin affects all versions up to and including 2.32.7, a broad range of installations are vulnerable. The attack vector is network-based and requires authentication but no additional user interaction. Exploiting this vulnerability can lead to severe consequences including deletion of critical files or directories, resulting in data loss and denial of service conditions that disrupt website availability. The CVSS v3.1 score of 9.6 reflects the high impact on integrity and availability, low attack complexity, and the requirement of low privileges. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a prime target for attackers aiming to compromise WordPress sites using this plugin. The vulnerability's scope is significant given WordPress's dominant market share in content management systems and the popularity of 10Web Booster for performance optimization.

The impact of CVE-2025-13377 is substantial for organizations running WordPress sites with the 10Web Booster plugin installed. Attackers with minimal privileges (Subscriber-level) can delete arbitrary folders on the server, potentially erasing critical website data, cached content, or even application files. This can lead to website downtime, loss of user trust, and costly recovery efforts. For e-commerce, media, or service websites, such disruptions can translate into direct financial losses and reputational damage. The vulnerability compromises data integrity and availability but does not directly impact confidentiality. However, the resulting denial of service can be leveraged as part of broader attack campaigns or ransomware operations. Given the plugin’s role in caching and optimization, deletion of cache folders can degrade website performance and user experience significantly. Organizations with high-traffic websites or those relying heavily on WordPress for business operations are particularly vulnerable. The ease of exploitation and low privilege requirement increase the likelihood of exploitation, especially in environments where user access controls are lax or where Subscriber accounts are common.

To mitigate CVE-2025-13377, organizations should immediately update the 10Web Booster plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to prevent exploitation. Implement strict access controls to limit Subscriber-level accounts and audit user privileges regularly to minimize the attack surface. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns targeting the get_cache_dir_for_page_from_url() function. Monitor server logs for unusual deletion activities or unauthorized file system changes. Additionally, implement regular backups of website data and server configurations to enable rapid recovery in case of data loss. Security teams should also conduct penetration testing focused on path traversal vulnerabilities and review plugin usage policies to ensure only trusted plugins are installed. Finally, educate site administrators and users about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of compromised accounts.