Omar Elshopky

**Name of the Vulnerable Software and Affected Versions** LWS Optimize – All-in-One Speed Booster & Cache Tools versions prior to 3.3.20 **Description** The plugin is subject to an arbitrary file read issue. This occurs because the `combine current css()` function trusts values harvested from page HTML and converts same-site URLs to absolute filesystem paths before reading them using `file get contents()` or `MinifyCSS::add()`. The process fails to ensure that the resolved path remains within the `ABSPATH` or possesses a `.css` extension. Consequently, authenticated attackers with Editor-level access or higher can read arbitrary files on the system. **Recommendations** Update to a version later than 3.3.19. As a temporary workaround, restrict access to the `combine current css()` function for users with Editor-level permissions until the update is applied.