{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-optimize--cache-compress-images-minify--clean-database-to-boost-page-speed--performance--4.5.2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7252"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP-Optimize – Cache, Compress images, Minify \u0026 Clean database to boost page speed \u0026 performance \u003c= 4.5.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-deletion","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP-Optimize – Cache, Compress images, Minify \u0026amp; Clean database to boost page speed \u0026amp; performance plugin, a widely used WordPress plugin, contains a critical vulnerability that allows authenticated attackers with author-level permissions and above to delete arbitrary files on the server. This vulnerability, identified as CVE-2026-7252, stems from insufficient file path validation in the \u003ccode\u003eunscheduled_original_file_deletion\u003c/code\u003e function within the plugin. The issue affects all versions up to and including 4.5.2. Successful exploitation can lead to complete compromise of the WordPress installation, including remote code execution by deleting critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e. The attack is facilitated by the fact that \u003ccode\u003eoriginal-file\u003c/code\u003e is a publicly accessible meta key.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains author-level or higher access to a WordPress site with the vulnerable WP-Optimize plugin installed.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eoriginal-file\u003c/code\u003e meta key associated with an attachment post.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eoriginal-file\u003c/code\u003e meta key via the Edit Media form or the REST API to point to a sensitive file on the server, such as \u003ccode\u003ewp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunscheduled_original_file_deletion\u003c/code\u003e function is triggered (likely via a scheduled task or other plugin functionality that utilizes the meta key).\u003c/li\u003e\n\u003cli\u003eDue to the insufficient file path validation, the plugin attempts to delete the file specified in the modified \u003ccode\u003eoriginal-file\u003c/code\u003e meta key (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe sensitive file is successfully deleted from the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the deleted sensitive file to achieve remote code execution, potentially by exploiting missing configuration or using alternative attack vectors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to delete arbitrary files on the WordPress server. This can lead to a complete loss of website functionality, data corruption, and potential remote code execution. Deleting configuration files, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, can allow attackers to gain control of the database and the entire WordPress installation. Given the popularity of the WP-Optimize plugin, a large number of WordPress websites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP-Optimize plugin to a version greater than 4.5.2 to patch CVE-2026-7252.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WP-Optimize Arbitrary File Deletion Attempt\u0026rdquo; to detect attempts to modify the \u003ccode\u003eoriginal-file\u003c/code\u003e meta key to point to sensitive files.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for suspicious activity related to the Edit Media form and REST API endpoints to detect unauthorized modifications of attachment metadata.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-wp-optimize-file-deletion/","summary":"The WP-Optimize plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with author-level access or higher to delete arbitrary files, potentially leading to remote code execution.","title":"WP-Optimize Plugin Vulnerable to Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-wp-optimize-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — WP-Optimize – Cache, Compress Images, Minify \u0026 Clean Database to Boost Page Speed \u0026 Performance \u003c= 4.5.2","version":"https://jsonfeed.org/version/1.1"}