A critical vulnerability has been identified in the 10Web Booster WordPress plugin, which is a component of The Multiple Products. This flaw allows a low-level authenticated user, such as a subscriber, to delete any folder on the server. Successful exploitation could lead to catastrophic data loss or a complete denial of service by deleting critical website or operating system files.

The vulnerability exists within the get_cache_dir_for_page_from_url() function of the plugin. This function fails to properly sanitize and validate the file path derived from a user-supplied URL. An authenticated attacker, even with minimal subscriber-level privileges, can craft a malicious request containing path traversal sequences (e.g., ../) to navigate outside of the intended cache directory. This allows the attacker to target and delete arbitrary folders anywhere on the server that the web server process has permission to modify.

This vulnerability is rated as critical severity with a CVSS score of 9.6. The business impact of a successful exploit is severe. An attacker could intentionally delete core application directories, rendering the website and associated services completely inoperable, resulting in a Denial of Service (DoS). Furthermore, an attacker could delete directories containing user data, website backups, or critical business documents, leading to permanent and irrecoverable data loss. The potential consequences include significant financial loss from downtime, high costs for incident response and recovery, and lasting reputational damage.

Immediate Action:

• Immediately update The Multiple Products (specifically the 10Web Booster plugin) to the latest version available from the vendor, which contains a patch for this vulnerability.
• After patching, carefully review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Configure and monitor web server access logs for suspicious POST/GET requests targeting the plugin's functions, especially those containing URL-encoded path traversal characters (%2e%2e%2f). Pay close attention to activity from low-privileged user accounts.
• File Integrity Monitoring (FIM): Implement or verify that a FIM solution is in place to alert on unauthorized or unexpected deletion of critical files and folders within the webroot and other system directories.
• System Alerts: Monitor for unexpected application errors or server crashes, as these could be indicators of missing directories caused by exploitation.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, deploy a WAF with strict rules to detect and block requests containing path traversal patterns targeting the web application.
• Restrict Privileges: As a temporary measure, disable the vulnerable plugin entirely. If this is not possible, restrict user registration or temporarily elevate the permissions required to access the plugin’s functionality.
• System Permissions: Review and harden file system permissions to ensure the web server user account has the most restrictive permissions possible and cannot delete critical system-level or application-level directories.
• Backups: Verify that recent, tested, and segregated backups of the server and website data are available for rapid restoration in the event of a destructive attack.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for complete data loss or denial of service, this vulnerability presents a significant and immediate risk to the organization. The fact that any authenticated user, including a basic subscriber, can trigger this vulnerability makes it particularly dangerous. We strongly recommend that the required patch is applied on all affected systems as an emergency change. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants immediate and prioritized remediation.