Volerion logoVolerion
Volerion logoVolerion

LWS Cleaner WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the LWS Cleaner plugin for WordPress, affecting all versions through 2.4.1.3. The issue arises from inadequate validation of file paths in the 'lws_cl_delete_file' function. This vulnerability enables authenticated attackers with Administrator-level access to delete arbitrary files on the server. Exploiting this flaw could lead to remote code execution, particularly if sensitive files like 'wp-config.php' are deleted.

Impact

Successful exploitation allows authenticated users with Administrator privileges to delete arbitrary files on the server, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator-level access can send a request to the 'lws_cl_delete_file' function. This request must include the path of the file to be deleted. The lack of proper path validation allows for traversal and deletion of files outside the intended directory, including critical WordPress files.

Remediation

Users are advised to update the LWS Cleaner plugin to version 2.4.2 or later.

Added: Sep 12, 2025, 6:18 AM
Updated: Sep 12, 2025, 6:18 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
10.0
exploitability
6.0
remediation
7.7
relevance
0.5
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.