Arbitrary File Deletion Vulnerability in WP-Optimize Plugin by WordPress
CVE-2026-7252

8.1HIGH

Key Information:

Vendor: WordPress
Status: WP-optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-7252?

The WP-Optimize plugin for WordPress has a vulnerability due to inadequate file path validation in its unscheduled_original_file_deletion function. This flaw affects all versions up to and including 4.5.2. Authenticated users with author-level permissions can exploit this vulnerability to delete arbitrary files on the server, potentially leading to remote code execution. The 'original-file' meta key, being publicly accessible, allows these users to manipulate it freely through the Edit Media interface or the REST API, raising significant security concerns.

Affected Version(s)

WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance 0 <= 4.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-optimize/tr...

https://plugins.trac.wordpress.org/browser/wp-optimize/ta...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

Ly Hoang

CVE-2026-7252 Data

JSON