Volerion logoVolerion
Volerion logoVolerion

10Web Booster WordPress Plugin Arbitrary Folder Deletion Vulnerability

Vulnerability

A vulnerability allowing authenticated users with Subscriber-level access and above to delete arbitrary folders on the server has been identified in the 10Web Booster plugin for WordPress. This issue arises from inadequate file path validation in the 'get_cache_dir_for_page_from_url()' function, affecting all versions through 2.32.7. The flaw could lead to data loss or a denial-of-service condition.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of server folders, potentially causing data loss or a denial-of-service condition.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the 'two_clear_page_cache' function. This involves sending a request to clear the page cache for a URL. The vulnerability lies in the fact that the cache directory path is not properly validated, allowing for directory traversal and deletion of arbitrary folders on the server.

Remediation

Users are advised to update the 10Web Booster plugin to version 2.32.11 or a newer patched version.

Added: Dec 6, 2025, 7:19 AM
Updated: Dec 6, 2025, 7:19 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
6.4
remediation
7.7
relevance
1.3
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.