CVE-2026-7311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tinypng TinyPNG – JPEG, PNG & WebP image compression
The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can exploit this by injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta on an attachment they own, then triggering attachment deletion to invoke the vulnerable code path.
AI Analysis
Technical Summary
CVE-2026-7311 is a path traversal vulnerability (CWE-22) in the TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress. The vulnerability arises from inadequate validation of file paths in the delete_converted_image_size function, allowing authenticated attackers with author-level privileges or higher to delete arbitrary files on the server. The attack vector involves injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta associated with an attachment owned by the attacker, then triggering the deletion of that attachment to execute the file deletion. This can lead to remote code execution if sensitive files such as wp-config.php are deleted. The vulnerability affects all versions up to and including 3.6.13. No official patch or remediation level has been published as of the data provided.
Potential Impact
An attacker with author-level access or higher can delete arbitrary files on the server by exploiting this vulnerability. This can result in denial of service or remote code execution if critical files like wp-config.php are deleted. The vulnerability does not directly disclose data but can severely impact the integrity and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict author-level access to trusted users only and monitor for suspicious activity related to attachment deletion. Avoid using the affected plugin versions in sensitive environments. Follow vendor updates closely for an official patch or temporary workaround.
CVE-2026-7311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tinypng TinyPNG – JPEG, PNG & WebP image compression
Description
The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can exploit this by injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta on an attachment they own, then triggering attachment deletion to invoke the vulnerable code path.
CVSS v3.1
Score 8.1high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-7311 is a path traversal vulnerability (CWE-22) in the TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress. The vulnerability arises from inadequate validation of file paths in the delete_converted_image_size function, allowing authenticated attackers with author-level privileges or higher to delete arbitrary files on the server. The attack vector involves injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta associated with an attachment owned by the attacker, then triggering the deletion of that attachment to execute the file deletion. This can lead to remote code execution if sensitive files such as wp-config.php are deleted. The vulnerability affects all versions up to and including 3.6.13. No official patch or remediation level has been published as of the data provided.
Potential Impact
An attacker with author-level access or higher can delete arbitrary files on the server by exploiting this vulnerability. This can result in denial of service or remote code execution if critical files like wp-config.php are deleted. The vulnerability does not directly disclose data but can severely impact the integrity and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict author-level access to trusted users only and monitor for suspicious activity related to attachment deletion. Avoid using the affected plugin versions in sensitive environments. Follow vendor updates closely for an official patch or temporary workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-28T12:43:26.086Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a46b6c227e9c79719e82773
Added to database: 07/02/2026, 19:06:42 UTC
Last enriched: 07/02/2026, 19:21:45 UTC
Last updated: 07/02/2026, 20:26:49 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.