CVE-2026-5821
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-5821 is an arbitrary file deletion vulnerability in the Image Optimizer – Optimize Images and Convert to WebP or AVIF plugin for WordPress, affecting versions up to and including 1.7.4. The flaw resides in the Image_Backup::remove() function, which fails to validate that backup file paths stored in post meta are confined to the uploads directory before passing them to file deletion operations. It was published on July 2, 2026, and assigned by Wordfence. The vulnerability carries a CVSS v3.1 base score of 8.1 (High) (GitHub Advisory, Wordfence).

Détails techniques

The root cause is classified as CWE-73 (External Control of File Name or Path): the plugin stores backup file paths in the image_optimizer_metadata post meta field and unconditionally trusts those paths when the delete_attachment hook fires, calling File_System::delete() on each path without any boundary check against the uploads directory. An authenticated attacker with Author-level access can use WordPress's Custom Fields interface to overwrite the backups array inside image_optimizer_metadata on their own attachments, injecting arbitrary absolute filesystem paths. Deleting the attachment then triggers the plugin to delete every path in that array, including files outside the uploads directory. Relevant vulnerable code is visible in image-backup.php at line 117 and handle-backups-removing.php at line 19 (GitHub Advisory, WordPress Trac).

Impact

Successful exploitation allows an authenticated attacker to delete arbitrary files accessible to the web server process, including WordPress core files, configuration files (e.g., wp-config.php), or other sensitive server-side files. Deleting critical files can result in denial of service (site outage), data loss, or security degradation — for example, removing security plugins or .htaccess rules to weaken the site's defenses and facilitate follow-on attacks. There is no direct confidentiality impact, but integrity and availability are both rated High (GitHub Advisory, Wordfence).

Étapes d’exploitation

  1. Reconnaissance: Identify WordPress sites running the Image Optimizer plugin (vendor: Elementor/elemntor) at version 1.7.4 or earlier, using tools like WPScan or by inspecting plugin directories.
  2. Obtain Author-level access: Register or compromise an account with at least Author-level privileges on the target WordPress site.
  3. Upload an attachment: Upload any image as an attachment to create a post with an associated image_optimizer_metadata post meta entry.
  4. Manipulate post meta: Using WordPress's Custom Fields interface (or the REST API if accessible), edit the image_optimizer_metadata field on the attachment to inject arbitrary absolute file paths (e.g., /var/www/html/wp-config.php) into the backups array.
  5. Trigger deletion: Delete the attachment from the WordPress media library. The delete_attachment hook fires, causing the plugin's Image_Backup::remove() to call File_System::delete() on each path in the tampered backups array without validation.
  6. Achieve objective: The targeted files (e.g., wp-config.php, .htaccess, security plugin files) are deleted from the server, resulting in denial of service, data loss, or weakened security posture (GitHub Advisory, Wordfence).

Indicateurs de compromis

  • Logs: WordPress debug logs or server access logs showing unexpected modification of image_optimizer_metadata post meta via the Custom Fields interface or REST API, particularly with absolute file paths outside the uploads directory in the backups field.
  • File System: Unexpected disappearance of critical files such as wp-config.php, .htaccess, or security plugin files coinciding with attachment deletion events; absence of files that should exist in the WordPress root or core directories.
  • WordPress Database: Entries in wp_postmeta where meta_key = 'image_optimizer_metadata' contain absolute paths (e.g., /var/www/, /etc/, /home/) in the backups array rather than paths within wp-content/uploads/.
  • Process/Event: WordPress action log (if an audit plugin is active) recording delete_attachment events by Author-level users shortly after post meta edits on the same attachment.

Atténuation et solutions de contournement

Update the Image Optimizer plugin to a version newer than 1.7.4, which contains a fix for this vulnerability (changeset 3557772 in the WordPress plugin repository). As a workaround prior to patching, restrict Custom Fields editing permissions so that Author-level users cannot modify post meta on attachments, or disable the backup feature of the plugin entirely. Site administrators should also audit existing image_optimizer_metadata post meta entries for any suspicious absolute file paths and review file system integrity (WordPress Trac Changeset, Wordfence).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5821HIGH8.1
  • image-optimization
NonOuiJul 02, 2026
CVE-2026-14249HIGH7.5
  • request-a-quote
NonOuiJul 02, 2026
CVE-2026-13704MEDIUM6.4
  • give
NonOuiJul 02, 2026
CVE-2026-5348MEDIUM5.3
  • academy
NonOuiJul 02, 2026
CVE-2026-13357MEDIUM4.9
  • houzez-property-feed
NonOuiJul 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités