The vulnerability identified as CVE-2025-8575 affects the LWS Cleaner plugin for WordPress, specifically all versions up to and including 2.4.1.3. The root cause is an absolute path traversal weakness (CWE-36) in the 'lws_cl_delete_file' function, which fails to properly validate file paths before deletion. This flaw enables an authenticated attacker with Administrator-level access or higher to specify arbitrary file paths for deletion on the hosting server. Because WordPress plugins typically run with the same permissions as the web server user, deleting critical files such as wp-config.php or other configuration and code files can lead to denial of service or facilitate remote code execution by destabilizing the environment or enabling further exploitation. The vulnerability does not require user interaction but does require elevated privileges, limiting exploitation to trusted users or compromised admin accounts. The CVSS v3.1 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability, with network attack vector and low attack complexity. No patches or exploits are currently publicly available, but the risk remains significant due to the potential for server takeover. The vulnerability was reserved in early August 2025 and published in September 2025, indicating recent discovery.

This vulnerability poses a significant risk to organizations running WordPress sites with the LWS Cleaner plugin installed. An attacker with Administrator privileges can delete arbitrary files, potentially removing critical configuration files like wp-config.php, which can cause site outages or enable remote code execution. This can lead to full server compromise, data breaches, defacement, or persistent backdoors. The impact extends to confidentiality (exposure of sensitive data), integrity (unauthorized file deletion and modification), and availability (site downtime). Since WordPress powers a large portion of the web, and many sites have multiple administrators, the risk of insider threats or compromised admin accounts exploiting this vulnerability is notable. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as weaponization could occur rapidly. Organizations relying on this plugin face potential reputational damage, financial loss, and regulatory consequences if exploited.

Organizations should immediately verify if the LWS Cleaner plugin is installed and identify the version in use. Since no official patch links are provided yet, administrators should consider disabling or uninstalling the plugin until a secure version is released. Restricting Administrator-level access to trusted personnel and enforcing strong authentication mechanisms (e.g., MFA) can reduce the risk of exploitation. Monitoring file system integrity and logs for suspicious deletion activity is recommended. Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function may provide temporary protection. Regular backups of critical files such as wp-config.php should be maintained to enable rapid recovery. Once a patch is available, prompt application is essential. Additionally, auditing user privileges and minimizing the number of administrators can reduce attack surface.