Approved changes feed: RSS · Atom

cpe:2.3:a:davidanderson:wp-optimize_–_cache,_compress_images,_minify_&_clean_database_to_boost_page_speed_&_performance:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorDavidanderson (cd5b714b-c39d-52de-94ce-1764b588bf76)
ProductWp Optimize – Cache, Compress Images, Minify & Clean Database To Boost Page Speed & Performance (5966bb9f-fc0d-5dee-b9ce-0ba60524e9f2)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-7252 vulnerable 2026-06-08 08:08:56.696954 WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta
HIGH (8.1)
The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.
Published: 2026-05-07T04:27:10.902Z
Updated: 2026-05-07T14:15:26.842Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-2712 vulnerable 2026-06-08 07:55:17.414670 WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation
MEDIUM (5.4)
The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).
Published: 2026-04-10T01:24:57.952Z
Updated: 2026-04-10T13:46:16.718Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.