CVE-2025-13377 is a critical security vulnerability identified in the 10Web Booster plugin for WordPress, a widely used tool for website speed optimization and caching. The vulnerability stems from improper limitation of a pathname to a restricted directory (CWE-22), specifically in the get_cache_dir_for_page_from_url() function. This function fails to adequately validate file paths, allowing authenticated users with minimal privileges (Subscriber-level or higher) to perform path traversal attacks. By exploiting this flaw, an attacker can delete arbitrary folders on the server hosting the WordPress site. This can result in significant data loss or a denial of service condition, as critical files or directories may be removed. The vulnerability affects all plugin versions up to 2.32.7. The CVSS v3.1 base score is 9.6 (critical), reflecting the vulnerability's high impact on integrity and availability, ease of exploitation over the network without user interaction, and the low privilege required. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a high-risk issue. The attack scope is broad since many WordPress sites use this plugin, and subscriber accounts are common, increasing the potential attack surface. The vulnerability's exploitation does not impact confidentiality directly but severely compromises data integrity and availability, potentially disrupting business operations and causing reputational damage.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites with the 10Web Booster plugin installed. The ability for low-privileged authenticated users to delete arbitrary folders can lead to website downtime, loss of cached data, or deletion of critical files, resulting in denial of service and operational disruption. This can affect e-commerce platforms, media outlets, and any service relying on WordPress for content delivery. The impact extends to customer trust and regulatory compliance, particularly under GDPR, where data integrity and availability are critical. Recovery from such attacks may require restoring from backups, which could be time-consuming and costly. Additionally, organizations with large subscriber bases or weak user account controls are at increased risk. The lack of public exploits currently limits immediate widespread attacks, but the vulnerability's critical nature demands urgent attention to prevent future exploitation.

Organizations should immediately audit their WordPress installations to identify the presence of the 10Web Booster plugin and verify the version in use. Until an official patch is released, it is advisable to restrict subscriber-level permissions to the minimum necessary, potentially disabling or limiting plugin functionality for these users. Implement strict access controls and monitor user activities for suspicious behavior indicative of exploitation attempts. Regularly back up website data and cache directories to enable rapid recovery in case of data deletion. Employ file integrity monitoring solutions to detect unauthorized changes or deletions in real time. Once a patch is available, prioritize its deployment across all affected systems. Additionally, consider isolating WordPress environments and employing web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this vulnerability. Educate administrators and users about the risks associated with low-privilege accounts and enforce strong authentication mechanisms to reduce the risk of account compromise.