CVE-2026-7252 HIGH

CVE-2026-7252: WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta

Vendor Davidanderson
Product WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Weakness CWE-22 · Path traversal
Published May 7, 2026
Last update May 7, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.

Explanation of Vulnerability in Simple Terms

02Summary

WP-Optimize versions up to 4.5.2 contain a path traversal vulnerability that allows authenticated users to read, modify, or delete files outside the intended plugin directory. An attacker with low-level site access can manipulate file paths to access sensitive WordPress configuration files, database backups, or other protected content. This affects the plugin's file handling operations and poses a significant risk to site integrity and confidentiality.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete files outside the plugin directory on the server.

Potential impact on your site

04Site Impact

Attackers with basic site access can steal wp-config.php, database backups, or corrupt critical files.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated