CVE-2026-12089: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aurelienlws LWS Optimize – All-in-One Speed Booster & Cache Tools
The LWS Optimize – All-in-One Speed Booster & Cache Tools WordPress plugin up to version 3.3.19 contains a path traversal vulnerability. This flaw allows authenticated users with Editor-level or higher privileges to read arbitrary files on the server. The vulnerability arises because the plugin's combine_current_css() function improperly trusts stylesheet link href values, converting them to filesystem paths without restricting them to the WordPress root directory or ensuring they have a .css extension. This can lead to unauthorized disclosure of sensitive file contents.
AI Analysis
Technical Summary
CVE-2026-12089 is a path traversal vulnerability (CWE-22) in the LWS Optimize – All-in-One Speed Booster & Cache Tools WordPress plugin, affecting versions up to and including 3.3.19. The vulnerability exists in the combine_current_css() function, which processes <link rel="stylesheet" href="..."> elements from page HTML. It converts same-site URLs to absolute filesystem paths and reads them using file_get_contents() and Minify\CSS::add() without verifying that the resolved path remains within the WordPress ABSPATH or that the file has a .css extension. This improper validation allows authenticated attackers with Editor or higher privileges to read arbitrary files on the server.
Potential Impact
An attacker with Editor-level or higher privileges can exploit this vulnerability to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other protected data. The vulnerability does not allow code execution or modification, but the confidentiality impact is high. The CVSS v3.1 base score is 4.9 (medium severity) with network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Editor-level access to trusted users only and monitor for suspicious activity. Avoid using this plugin version in high-risk environments. Follow the vendor's updates closely for any released patches or official mitigations.
CVE-2026-12089: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aurelienlws LWS Optimize – All-in-One Speed Booster & Cache Tools
Description
The LWS Optimize – All-in-One Speed Booster & Cache Tools WordPress plugin up to version 3.3.19 contains a path traversal vulnerability. This flaw allows authenticated users with Editor-level or higher privileges to read arbitrary files on the server. The vulnerability arises because the plugin's combine_current_css() function improperly trusts stylesheet link href values, converting them to filesystem paths without restricting them to the WordPress root directory or ensuring they have a .css extension. This can lead to unauthorized disclosure of sensitive file contents.
CVSS v3.1
Score 4.9medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12089 is a path traversal vulnerability (CWE-22) in the LWS Optimize – All-in-One Speed Booster & Cache Tools WordPress plugin, affecting versions up to and including 3.3.19. The vulnerability exists in the combine_current_css() function, which processes <link rel="stylesheet" href="..."> elements from page HTML. It converts same-site URLs to absolute filesystem paths and reads them using file_get_contents() and Minify\CSS::add() without verifying that the resolved path remains within the WordPress ABSPATH or that the file has a .css extension. This improper validation allows authenticated attackers with Editor or higher privileges to read arbitrary files on the server.
Potential Impact
An attacker with Editor-level or higher privileges can exploit this vulnerability to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other protected data. The vulnerability does not allow code execution or modification, but the confidentiality impact is high. The CVSS v3.1 base score is 4.9 (medium severity) with network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Editor-level access to trusted users only and monitor for suspicious activity. Avoid using this plugin version in high-risk environments. Follow the vendor's updates closely for any released patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-12T13:57:55.876Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2cc2dfe617e2d8342dcc6b
Added to database: 6/13/2026, 2:39:27 AM
Last enriched: 6/13/2026, 2:54:51 AM
Last updated: 6/13/2026, 6:48:12 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.