CVE-2026-7252

Name of the Vulnerable Software and Affected Versions WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance versions prior to 4.5.3

Description Insufficient file path validation in the unscheduled original file deletion() function allows authenticated attackers with author-level access or higher to delete arbitrary files on the server. This occurs because original-file is a public meta key that can be modified by authors via the REST API or the standard Edit Media form. Deleting critical files, such as 'wp-config.php', can lead to remote code execution.

Recommendations Update the plugin to a version later than 4.5.2.