CVE-2026-12089
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 3.3.19. The issue arises from the combine_current_css() function improperly processing <link rel="stylesheet" href="..."> values, allowing for arbitrary file reads.
Risk Assessment
Authenticated attackers with Editor-level access and above can read sensitive files on the server, posing a serious threat to the organization's data security.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and review user permissions to limit access to critical functions.
Original NVD description (English source)
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.

