cleantalk
Vulnerabilities and Security Researches

LWS Optimize, CVE-2026-12089

CVE, Research URL

CVE-2026-12089

Home page URL

Security reports for LWS Optimize

Application

LWS Optimize

Published on
Jun 13, 2026
Research Description
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
Affected versions
max 3.3.20.
Status
vulnerable
Previous vulnerability researches
WP Project Manager &#8211; Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2025-3100) , Apr 09, 2025
WP Project Manager &#8211; Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2025-58269) , Apr 24, 2026
WP Project Manager &#8211; Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2023-40003) , Jun 10, 2024
WP Project Manager &#8211; Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2024-10174) , Nov 13, 2024
WP Project Manager &#8211; Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2023-3636) , Jun 07, 2024
New vulnerability
FAQ Manager For Divi, Gutenberg Block &amp; Shortcode (CVE-2023-33999) , Jun 14, 2026
TablePress &#8211; Tables in WordPress made easy (CVE-2023-33999) , Jun 14, 2026
Docket Cache &#8211; Object Cache Accelerator (CVE-2026-22492) , Jun 14, 2026
Advanced Classifieds &amp; Directory Pro (CVE-2023-33999) , Jun 14, 2026
Display Eventbrite Events (CVE-2023-33999) , Jun 14, 2026