CVE-2026-12089 aurelienlws CVE debrief

Who should care

Users of the LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress, particularly those with Editor-level access and above, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the combine_current_css() function, which trusts <link rel='stylesheet' href='...'> values harvested from page HTML and converts same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify/CSS::add(). The function does not enforce that the resolved path stay within ABSPATH or have a .css extension, allowing authenticated attackers with Editor-level access and above to read arbitrary files.

Defensive priority

MEDIUM

Recommended defensive actions

• Update the LWS Optimize – All-in-One Speed Booster & Cache Tools plugin to a version that fixes this vulnerability.
• Restrict access to the plugin's functionality to prevent authenticated attackers with Editor-level access and above from exploiting the vulnerability.
• Monitor the plugin's logs for any suspicious activity related to file reads.

Evidence notes

The vulnerability was reported by [email protected] and is tracked in the Wordfence threat intelligence database.

Official resources