cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forlws-optimize lws-optimize

Direction: descending
Jun 14, 2026

LWS Optimize # CVE-2026-12089

CVE, Research URL

CVE-2026-12089

Home page URL

Security reports for LWS Optimize

Application

LWS Optimize

Date
Jun 13, 2026
Research Description
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
Affected versions
max 3.3.20.
Status
vulnerable
Jun 06, 2024

LWS Optimize # CVE-2024-30541

CVE, Research URL

CVE-2024-30541

Home page URL

Security reports for LWS Optimize

Application

LWS Optimize

Date
Apr 01, 2024
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in LWS LWS Optimize.This issue affects LWS Optimize: from n/a through 1.9.1.
Affected versions
max 2.0.
Status
vulnerable

LWS Optimize # ba397287a26d5cbc01e8e94271d431879e510091

CVE, Research URL

ba397287a26d5cbc01e8e94271d431879e510091

Home page URL

Security reports for LWS Optimize

Application

LWS Optimize

Date
Dec 12, 2022
Research Description
LWS Optimize &#8211; All-in-One Speed Booster &amp; Cache Tools [lws-optimize] < 1.6 LWS Plugins <= (Various Versions) - Missing Authorization Checks Several LWS Plugins for WordPress are vulnerable to authorization bypass due to making admin settings pages available to users with read access (LWS Affiliation in versions up to, and including, 2.1; LWS Optimize in versions up to, and including, 1.5; LWS Tools in versions up to, and including, 2.1; LWS Cleaner in versions up to, and including, 2.0.3; LWS SMS in versions up to, and including, 2.1; LWS Hide Login in versions up to, and including, 2.0.2). This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change plugin settings.
Affected versions
max 1.6.
Status
vulnerable