PT-2026-55284 · WordPress · Tinypng

Lhking

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-7311

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress versions prior to 3.6.14
Description Insufficient file path validation in the delete converted image size() function allows authenticated attackers with author-level access or higher to delete arbitrary files on the server. This can be achieved by injecting a server file path into the convert.path field of the tiny compress images post meta on an attachment owned by the attacker and then triggering the attachment deletion. Deleting critical files, such as wp-config.php, can lead to remote code execution.
Recommendations Update the plugin to version 3.6.14 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7311

Affected Products

Tinypng