CVE-2026-7252 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: May 7, 2026
WP-Optimize - Arbitrary File Deletion
Published: May 7, 2026Updated: May 7, 2026Remote Exploitable
Overview
WP-Optimize WordPress plugin <= 4.5.2 contains an arbitrary file deletion vulnerability caused by insufficient file path validation in unscheduled_original_file_deletion function, letting authenticated attackers with author-level access delete arbitrary files, exploit requires author-level privileges.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated attackers with author access can delete arbitrary files, potentially leading to remote code execution and full server compromise.
Mitigation
Update to the latest version beyond 4.5.2.
References
- https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L81
- https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1649
- https://plugins.trac.wordpress.org/changeset/3518513/wp-optimize/trunk/includes/class-updraft-smush-manager.php
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-optimize/tags/4.5.2&new_path=%2Fwp-optimize/tags/4.5.3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cc815ef2-dd02-4faa-b202-dd1552f889db?source=cve
- https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1645
- https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1645
- https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L81
- https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1649
Related Resources
Details
- CVE ID
- CVE-2026-7252
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H