Description
The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachment hook. An authenticated attacker with Author-level access can edit the image_optimizer_metadata post meta on their own attachments via WordPress's Custom Fields interface, injecting arbitrary absolute file paths into the backups array. When the attacker subsequently deletes the attachment, the plugin calls File_System::delete() on each path without validation. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server within the web server's filesystem permissions, potentially leading to denial of service, data loss, or security degradation.
Published: 2026-07-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Image Optimizer plugin for WordPress permits authenticated users with Author privileges or higher to insert arbitrary absolute file paths into the image_optimizer_metadata post meta. When a user deletes an attachment, the plugin blindly deletes each stored path without verifying it is within the uploads directory. This flaw enables deletion of any file on the server that the web user can read or write, resulting in data loss, potential service disruption, or broader security degradation. The vulnerability is a path traversal/unsanitized input weakness classified as CWE‑73.

Affected Systems

Elementor’s Image Optimizer – Optimize Images and Convert to WebP or AVIF plugin for WordPress is affected. All releases up to and including version 1.7.4 contain the flaw. WordPress installations that have this plugin and host users with Author or higher roles are vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 8.1, indicating high severity. EPSS data is unavailable and the issue is not listed in CISA KEV, suggesting it may be less publicly known. The likely attack vector is straightforward: an authenticated author edits a custom field on an attachment to inject malicious paths and then triggers the deletion hook, causing the plugin to delete the specified files. Because only author privileges are required, the exploitation barrier is low, and the impact is complete file deletion without obfuscation.

Generated by OpenCVE AI on July 2, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Image Optimizer to the latest available version, as newer releases are expected to fix the unsanitized deletion logic; the specific patched version is not detailed in the provided data, so this is an inferred recommendation.
  • If an immediate update is not possible, restrict the ability of Author-level users to edit custom fields for attachments, for example by revoking the 'edit post custom fields' capability through a role‑management plugin.
  • As an interim measure, disable attachment deletion or remove the backups feature in the plugin until the fix is applied, preventing the delete_attachment hook from performing file deletions.

Generated by OpenCVE AI on July 2, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachment hook. An authenticated attacker with Author-level access can edit the image_optimizer_metadata post meta on their own attachments via WordPress's Custom Fields interface, injecting arbitrary absolute file paths into the backups array. When the attacker subsequently deletes the attachment, the plugin calls File_System::delete() on each path without validation. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server within the web server's filesystem permissions, potentially leading to denial of service, data loss, or security degradation.
Title Image Optimizer <= 1.7.4 - Authenticated (Author+) Arbitrary File Deletion via Post Meta Field Injection
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T12:37:03.815Z

Reserved: 2026-04-08T16:28:00.923Z

Link: CVE-2026-5821

cve-icon Vulnrichment

Updated: 2026-07-02T12:37:00.793Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:45:16Z

Weaknesses
  • CWE-73

    External Control of File Name or Path