CVE-2025-8147

Root

Cause The LWSCache plugin for WordPress lacks proper authorization checks on the lwscache_activatePlugin() function in all versions up to and including 2.8.5 [1]. This function is intended to activate LWS whitelisted plugins, but it does not verify that the requesting user has the necessary administrative permissions, exposing the function to low-privileged authenticated users.

Exploitation

An attacker who is authenticated to a WordPress site with at least Subscriber-level access can call the lwscache_activatePlugin() function without any additional capability checks [1]. The function activates arbitrary plugins from a whitelist defined by the LWS plugin, meaning the attacker can enable LWS-approved plugins that may have been intentionally disabled by the site administrator. No cross-site request forgery protection or role validation is enforced on this endpoint.

Impact

Successful exploitation allows an authenticated attacker to enable whitelisted LWS plugins that may introduce further vulnerabilities, alter site behavior, or consume server resources [1]. While the attacker cannot install arbitrary third-party plugins (only those on the LWS whitelist), the ability to activate plugins without authorization undermines the site's security posture and administrative control.

Mitigation

The vendor has addressed this vulnerability in version 2.8.6 of the LWSCache plugin [1]. All users running versions up to and including 2.8.5 are strongly advised to update immediately. No workaround is available without updating the plugin.