A high-severity vulnerability has been identified in the LWS Cleaner plugin for WordPress, which could allow an attacker to delete arbitrary files on the server. Successful exploitation could lead to website defacement, denial of service by deleting critical configuration files, or permanent data loss. Organizations using this plugin are urged to take immediate action to mitigate this risk.

The LWS Cleaner plugin contains an arbitrary file deletion vulnerability in its lws_cl_delete_file function. The function fails to properly sanitize or validate the file path provided by the user. An authenticated attacker can exploit this by crafting a request with a path traversal payload (e.g., ../../wp-config.php) to target and delete files outside of the intended directory, including critical WordPress core files, configuration files, or other sensitive data on the server.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful attack could have a significant business impact, including a complete denial of service if an attacker deletes essential files like wp-config.php or .htaccess. This would result in website downtime, leading to potential revenue loss, customer dissatisfaction, and reputational damage. Furthermore, the deletion of user-uploaded content or other site data could lead to permanent data loss if backups are not readily available, causing major operational disruption.

Immediate Action: Immediately update the LWS Cleaner plugin to the latest version available (greater than version 2) which addresses this vulnerability. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.

Proactive Monitoring: Implement File Integrity Monitoring (FIM) on the web server to generate alerts for any unauthorized changes or deletions to critical files (e.g., wp-config.php, .htaccess, core application files). Review web server access logs for suspicious POST requests to the WordPress backend, specifically looking for patterns indicative of path traversal (../) in requests related to the LWS Cleaner plugin's functionality.

Compensating Controls: If patching is not immediately feasible, deploy a Web Application Firewall (WAF) with rules designed to detect and block path traversal attempts. Additionally, enforce strict file system permissions to ensure the web server user account does not have permission to write or delete files outside of its designated directories (e.g., wp-content/uploads).

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and its potential to cause a complete denial of service, it is strongly recommended that organizations take immediate action. The primary recommendation is to update the LWS Cleaner plugin to a patched version without delay. If the plugin's functionality is not critical, the most secure course of action is to remove it entirely. Although there is no current evidence of active exploitation, the ease of exploitation necessitates prompt remediation to prevent potential website compromise and operational disruption.