CVE-2026-12089

Vulnerability

The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress (versions up to and including 3.3.19) contains an arbitrary file read vulnerability in the combine_current_css() function. The function trusts ` values harvested from page HTML and converts same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stays within ABSPATH or has a .css extension [1].[2] The affected code is in Classes/Front/LwsOptimizeCSSManager.php` [2][3].

Exploitation

An authenticated attacker with Editor-level access or above can craft a page containing a ` tag with a manipulated href attribute that points to an arbitrary file on the server (e.g., ../../wp-config.php`). When the plugin processes that page’s CSS for combination, it resolves the href to an absolute path and reads the file contents [1]. No additional privileges or user interaction beyond being able to edit/create pages is required.

Impact

Successful exploitation allows the attacker to read arbitrary files on the WordPress server, including sensitive files such as wp-config.php (containing database credentials), .htaccess, or other system files. This leads to full information disclosure and could enable further compromise of the site [1].

Mitigation

The vulnerability is fixed in version 3.4.1, released on 2026-06-08 [1]. Users should update immediately. No workaround is provided for older versions; unpatched installations should be upgraded to the latest version.