Impact
The Image Optimizer plugin for WordPress permits authenticated users with Author privileges or higher to insert arbitrary absolute file paths into the image_optimizer_metadata post meta. When a user deletes an attachment, the plugin blindly deletes each stored path without verifying it is within the uploads directory. This flaw enables deletion of any file on the server that the web user can read or write, resulting in data loss, potential service disruption, or broader security degradation. The vulnerability is a path traversal/unsanitized input weakness classified as CWE‑73.
Affected Systems
Elementor’s Image Optimizer – Optimize Images and Convert to WebP or AVIF plugin for WordPress is affected. All releases up to and including version 1.7.4 contain the flaw. WordPress installations that have this plugin and host users with Author or higher roles are vulnerable.
Risk and Exploitability
The flaw has a CVSS score of 8.1, indicating high severity. EPSS data is unavailable and the issue is not listed in CISA KEV, suggesting it may be less publicly known. The likely attack vector is straightforward: an authenticated author edits a custom field on an attachment to inject malicious paths and then triggers the deletion hook, causing the plugin to delete the specified files. Because only author privileges are required, the exploitation barrier is low, and the impact is complete file deletion without obfuscation.
OpenCVE Enrichment