WP-Optimize < 4.5.3 – Author+ Arbitrary File Deletion via 'original-file' Post Meta | CVE 2026-7252 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in the `unscheduled_original_file_deletion()` function. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as `wp-config.php`). This is possible because `original-file` is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.

Affects Plugins

Fixed in 4.5.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cc815ef2-dd02-4faa-b202-dd1552f889db

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Ly Hoang

Verified

No

WPVDB ID

b020f9de-f9d3-48a7-b52c-3a62172c4a54

Timeline

Publicly Published

2026-05-06 (about 7 days ago)

Added

2026-05-07 (about 6 days ago)

Last Updated

2026-05-07 (about 6 days ago)

Other

Published

Title

Published

2025-07-06

Title

WP Pipes <= 1.4.3 - Unauthenticated Arbitrary File Deletion

Published

2025-03-21

Title

Export and Import Users and Customers < 2.6.3 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function

Published

2025-12-17

Title

Frontend File Manager < 23.5 - Subscriber+ Arbitrary File Deletion

Published

2022-03-16

Title

iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip

Published

2023-10-11

Title

AI ChatBot < 4.9.1 - Subscriber+ Arbitrary File Deletion