CVE-2026-7252 Overview
CVE-2026-7252 is an arbitrary file deletion vulnerability in the WP-Optimize WordPress plugin. The flaw resides in the unscheduled_original_file_deletion function and affects all versions up to and including 4.5.2. Authenticated attackers with author-level access or higher can delete arbitrary files on the server. Deleting critical files such as wp-config.php can trigger WordPress reinstallation flows and lead to remote code execution. The root issue is that original-file is a public meta key, which allows authors to create or modify it on their own attachment posts through the standard Edit Media form or the REST API.
Critical Impact
Authenticated authors can delete wp-config.php and other critical files, enabling site takeover and remote code execution.
Affected Products
- WP-Optimize – Cache, Compress images, Minify & Clean database plugin for WordPress
- All versions up to and including 4.5.2
- Fixed in version 4.5.3
Discovery Timeline
- 2026-05-07 - CVE-2026-7252 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-7252
Vulnerability Analysis
The WP-Optimize plugin includes an image optimization feature (Smush) that retains a backup of the original image after compression. When the user disables retention, the plugin invokes unscheduled_original_file_deletion to remove the backup file. The function reads the file path from the original-file post meta on an attachment and passes it to a delete operation without enforcing that the path resides within the WordPress uploads directory.
The vulnerability is classified as a Path Traversal weakness under CWE-22. Because authors can manage their own attachment posts, an attacker can upload an image, set the original-file meta to an arbitrary absolute path, and trigger the deletion routine. Removing wp-config.php causes WordPress to enter the install state, allowing an attacker to point the site at an attacker-controlled database and achieve code execution.
Root Cause
The root cause is dual: insufficient file path validation in unscheduled_original_file_deletion combined with the use of a non-protected meta key. WordPress treats meta keys that begin with an underscore as protected, blocking direct edits through the Edit Media form and REST API. The original-file key has no underscore prefix, so authors can write arbitrary string values to it on attachments they own. See the affected source at class-updraft-smush-manager.php L1645.
Attack Vector
Exploitation requires an authenticated session with author-level capabilities or higher. The attacker uploads or selects an attachment, sets the original-file meta value to a path such as the absolute location of wp-config.php, and invokes the plugin action that calls unscheduled_original_file_deletion. The PHP process executes the unlink against the attacker-supplied path with the privileges of the web server. No user interaction is required from administrators.
No verified proof-of-concept code is published. Refer to the
Wordfence advisory and the WordPress.org changeset for technical details:
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc815ef2-dd02-4faa-b202-dd1552f889db
Detection Methods for CVE-2026-7252
Indicators of Compromise
- Attachment posts owned by author-level accounts containing an original-file postmeta value with absolute paths or directory traversal sequences such as ../.
- Unexpected absence of wp-config.php or sudden appearance of the WordPress installation screen at the site root.
- New administrator accounts created shortly after WordPress reinstallation flows are triggered.
- File deletion entries in PHP error logs referencing class-updraft-smush-manager.php.
Detection Strategies
- Audit the wp_postmeta table for rows with meta_key = 'original-file' and inspect values for paths outside the uploads directory.
- Monitor WordPress REST API calls to /wp/v2/media/{id}/meta and Edit Media form submissions that set original-file.
- Review filesystem audit logs for unlink operations executed by the PHP-FPM or web server user against paths outside wp-content/uploads/.
Monitoring Recommendations
- Enable WordPress activity logging for attachment metadata changes by non-administrator accounts.
- Alert on integrity changes to wp-config.php, .htaccess, and core PHP files via file integrity monitoring.
- Track plugin version inventory and flag WordPress sites running WP-Optimize 4.5.2 or earlier.
How to Mitigate CVE-2026-7252
Immediate Actions Required
- Update the WP-Optimize plugin to version 4.5.3 or later on every WordPress instance.
- Audit all author, editor, and contributor accounts and disable any that are unused or unrecognized.
- Verify integrity of wp-config.php and core WordPress files; restore from a known-good backup if tampered.
- Rotate database credentials and WordPress secret keys if compromise is suspected.
Patch Information
The vendor addressed CVE-2026-7252 in WP-Optimize version 4.5.3. The fix is documented in WordPress Changeset #3518513 and the 4.5.2 to 4.5.3 diff. Additional details are available in the Wordfence Vulnerability Report.
Workarounds
- Deactivate the WP-Optimize plugin until the update to 4.5.3 can be applied.
- Restrict the author role using a capability manager so only trusted users can upload media or edit attachments.
- Enforce least privilege on the web server user so PHP cannot delete files outside wp-content/.
# Restrict filesystem permissions so PHP cannot remove wp-config.php
chown root:www-data /var/www/html/wp-config.php
chmod 640 /var/www/html/wp-config.php
# Quickly identify vulnerable WP-Optimize installs
grep -R "Version: 4.5." /var/www/*/wp-content/plugins/wp-optimize/wp-optimize.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
