CVE Catalog

CVE-2026-7311

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.67%

47th percentile — higher than 47% of all known CVEs

Summary

The TinyPNG plugin for WordPress (versions up to 3.6.13) contains an arbitrary file deletion vulnerability exploitable by authenticated attackers with author-level access or higher. The issue stems from insufficient file path validation in the delete_converted_image_size function.

Risk Assessment

An attacker can delete critical server files such as wp-config.php, potentially leading to remote code execution and full compromise of the WordPress site.

Recommendation

Immediately update the TinyPNG plugin to the latest available version that includes a fix for this vulnerability. If no update is available, temporarily disable the plugin.

Original NVD description (English source)

The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can exploit this by injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta on an attachment they own, then triggering attachment deletion to invoke the vulnerable code path.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS