Description
The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.
Published: 2026-05-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP‑Optimize plugin contains a flaw in the unscheduled_original_file_deletion function, where insufficient validation of file paths allows deletion of any file on the server. This action can remove critical files such as wp‑config.php, potentially providing an attacker with a path to remote code execution. The weakness is a classic directory traversal flaw (CWE‑22) that gains power through improper handling of the public meta key "original‑file".

Affected Systems

Version 4.5.2 and all earlier releases of the WP‑Optimize plugin from the vendor David Anderson are affected. Any WordPress installation running those versions of the plugin is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability and the EPSS score is not available for this risk assessment. The plugin is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is an authenticated user with author or higher privileges who can modify attachment post meta via the Edit Media interface or the REST API. Once such a user manipulates the "original-file" meta key, they can delete arbitrary files on the server, which may allow execution of arbitrary code if a sensitive file is targeted.

Generated by OpenCVE AI on May 7, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP‑Optimize plugin to version 4.5.3 or later where the path validation bug has been fixed
  • Restrict authors from editing media attachment meta; consider removing the "original-file" meta key from all attachments or disabling the Edit Media capability for non‑admin roles
  • As a temporary measure, delete any "original-file" meta entries from existing media attachments to remove the vector for file deletion

Generated by OpenCVE AI on May 7, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidanderson
Davidanderson wp-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Wordpress
Wordpress wordpress
Vendors & Products Davidanderson
Davidanderson wp-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Wordpress
Wordpress wordpress

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.
Title WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Davidanderson Wp-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-07T14:15:26.842Z

Reserved: 2026-04-27T19:09:53.550Z

Link: CVE-2026-7252

cve-icon Vulnrichment

Updated: 2026-05-07T14:15:22.644Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T06:16:05.567

Modified: 2026-05-07T14:00:05.650

Link: CVE-2026-7252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:30:06Z

Weaknesses