What the vulnerability does
01Description
The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.
Explanation of Vulnerability in Simple Terms
02Summary
WP-Optimize versions up to 4.5.2 contain a path traversal vulnerability that allows authenticated users to read, modify, or delete files outside the intended plugin directory. An attacker with low-level site access can manipulate file paths to access sensitive WordPress configuration files, database backups, or other protected content. This affects the plugin's file handling operations and poses a significant risk to site integrity and confidentiality.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete files outside the plugin directory on the server.
Potential impact on your site
04Site Impact
Attackers with basic site access can steal wp-config.php, database backups, or corrupt critical files.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 7, 2026
CVE published
May 7, 2026
Record updated