Website owners relying on the LWS Cleaner plugin should be aware of a critical security issue. version 2.4.13 of the plugin contains a flaw that allows an authenticated administrator to arbitrarily delete files via the lws-cl-delete-file endpoint (source).
What is the vulnerability?
- plugin affected: LWS Cleaner
- vulnerable version: 2.4.13
- vulnerability type: arbitrary file deletion
- attack vector: authenticated administrators can send requests through the
lws-cl-delete-filefunction to delete files of their choosing
Although the issue requires admin-level access, it significantly increases the potential damage a compromised or malicious admin account can inflict.
Why it matters
Administrators already have high privileges, but this flaw allows the deletion of sensitive files outside the intended plugin directory. that can lead to:
- deletion of core wordpress files, breaking the site
- removal of configuration files, exposing the site to further compromise
- permanent loss of data if no backup is available
In short: if exploited, the vulnerability can completely take down a website.
Technical Breakdown
The problem stems from insufficient path validation in the lws-cl-delete-file endpoint. if the plugin does not properly sanitize file paths, it becomes possible to manipulate the input (for example, using directory traversal sequences like ../) to delete files outside of safe directories.
Because administrators can directly trigger this functionality, any compromised admin account or insider threat can exploit it.
Who is Affected
- all wordpress websites using LWS Cleaner version 2.4.13
- servers where php or the webserver user has permission to delete files beyond the plugin’s folder
How to protect your site
- update the plugin immediately
check if the developer has released a patched version beyond 2.4.13. update as soon as possible. - review file permissions
restrict file and folder permissions so the webserver can’t delete sensitive files outside wordpress’s working directories. - limit administrator accounts
grant admin privileges only to trusted users. use editor or author roles for day-to-day content management. - monitor user activity
keep logs of admin actions to detect suspicious behavior early. - maintain regular backups
ensure you have automated backups of both the database and site files. in case of file deletion, backups may be your only recovery option.
⚠️ this vulnerability emphasizes why even administrator-only flaws are dangerous — if a single admin account is compromised, attackers can cause catastrophic damage in minutes. proactive patching, strict permissions, and backup strategies are your strongest defenses.
Leave a Comment