CVE-2026-7252: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in davidanderson WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
A path traversal vulnerability (CWE-22) exists in the WP-Optimize WordPress plugin up to version 4. 5. 2, allowing authenticated users with author-level access or higher to delete arbitrary files on the server. This occurs due to insufficient validation of file paths in the unscheduled_original_file_deletion function, combined with the fact that the 'original-file' meta key is publicly writable by authors. Exploiting this vulnerability can lead to remote code execution if critical files like wp-config. php are deleted. The vulnerability has a high CVSS score of 8. 1. No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The WP-Optimize plugin for WordPress suffers from a path traversal vulnerability in the unscheduled_original_file_deletion function, which improperly limits file pathnames to restricted directories. Authenticated users with author-level privileges can manipulate the 'original-file' meta key on attachment posts to delete arbitrary files on the server. This vulnerability affects all versions up to and including 4.5.2. Because the 'original-file' meta key is not protected (does not start with an underscore), authors can modify it via the Edit Media form or REST API, enabling the attack. Deleting critical files such as wp-config.php can facilitate remote code execution. The CVSS 3.1 base score is 8.1, indicating high severity. No vendor patch or official remediation is currently documented.
Potential Impact
Authenticated attackers with author-level access can delete arbitrary files on the server hosting the WordPress site. This can lead to denial of service or remote code execution if key files like wp-config.php are deleted. The vulnerability does not allow unauthenticated access but leverages insufficient file path validation and publicly writable meta keys to escalate impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict author-level user permissions where possible and monitor for suspicious file deletion activity. Avoid granting author-level access to untrusted users. Consider disabling or limiting the use of the WP-Optimize plugin if feasible until a patch is released.
CVE-2026-7252: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in davidanderson WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
Description
A path traversal vulnerability (CWE-22) exists in the WP-Optimize WordPress plugin up to version 4. 5. 2, allowing authenticated users with author-level access or higher to delete arbitrary files on the server. This occurs due to insufficient validation of file paths in the unscheduled_original_file_deletion function, combined with the fact that the 'original-file' meta key is publicly writable by authors. Exploiting this vulnerability can lead to remote code execution if critical files like wp-config. php are deleted. The vulnerability has a high CVSS score of 8. 1. No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WP-Optimize plugin for WordPress suffers from a path traversal vulnerability in the unscheduled_original_file_deletion function, which improperly limits file pathnames to restricted directories. Authenticated users with author-level privileges can manipulate the 'original-file' meta key on attachment posts to delete arbitrary files on the server. This vulnerability affects all versions up to and including 4.5.2. Because the 'original-file' meta key is not protected (does not start with an underscore), authors can modify it via the Edit Media form or REST API, enabling the attack. Deleting critical files such as wp-config.php can facilitate remote code execution. The CVSS 3.1 base score is 8.1, indicating high severity. No vendor patch or official remediation is currently documented.
Potential Impact
Authenticated attackers with author-level access can delete arbitrary files on the server hosting the WordPress site. This can lead to denial of service or remote code execution if key files like wp-config.php are deleted. The vulnerability does not allow unauthenticated access but leverages insufficient file path validation and publicly writable meta keys to escalate impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict author-level user permissions where possible and monitor for suspicious file deletion activity. Avoid granting author-level access to untrusted users. Consider disabling or limiting the use of the WP-Optimize plugin if feasible until a patch is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-27T19:09:53.550Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fc24d8cbff5d86109abcc5
Added to database: 5/7/2026, 5:36:24 AM
Last enriched: 5/7/2026, 5:51:30 AM
Last updated: 5/7/2026, 7:52:11 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.