
PEACH
Un cadre d’isolation des locataires
CVE-2026-5821 is an arbitrary file deletion vulnerability in the Image Optimizer – Optimize Images and Convert to WebP or AVIF plugin for WordPress, affecting versions up to and including 1.7.4. The flaw resides in the Image_Backup::remove() function, which fails to validate that backup file paths stored in post meta are confined to the uploads directory before passing them to file deletion operations. It was published on July 2, 2026, and assigned by Wordfence. The vulnerability carries a CVSS v3.1 base score of 8.1 (High) (GitHub Advisory, Wordfence).
The root cause is classified as CWE-73 (External Control of File Name or Path): the plugin stores backup file paths in the image_optimizer_metadata post meta field and unconditionally trusts those paths when the delete_attachment hook fires, calling File_System::delete() on each path without any boundary check against the uploads directory. An authenticated attacker with Author-level access can use WordPress's Custom Fields interface to overwrite the backups array inside image_optimizer_metadata on their own attachments, injecting arbitrary absolute filesystem paths. Deleting the attachment then triggers the plugin to delete every path in that array, including files outside the uploads directory. Relevant vulnerable code is visible in image-backup.php at line 117 and handle-backups-removing.php at line 19 (GitHub Advisory, WordPress Trac).
Successful exploitation allows an authenticated attacker to delete arbitrary files accessible to the web server process, including WordPress core files, configuration files (e.g., wp-config.php), or other sensitive server-side files. Deleting critical files can result in denial of service (site outage), data loss, or security degradation — for example, removing security plugins or .htaccess rules to weaken the site's defenses and facilitate follow-on attacks. There is no direct confidentiality impact, but integrity and availability are both rated High (GitHub Advisory, Wordfence).
image_optimizer_metadata post meta entry.image_optimizer_metadata field on the attachment to inject arbitrary absolute file paths (e.g., /var/www/html/wp-config.php) into the backups array.delete_attachment hook fires, causing the plugin's Image_Backup::remove() to call File_System::delete() on each path in the tampered backups array without validation.wp-config.php, .htaccess, security plugin files) are deleted from the server, resulting in denial of service, data loss, or weakened security posture (GitHub Advisory, Wordfence).image_optimizer_metadata post meta via the Custom Fields interface or REST API, particularly with absolute file paths outside the uploads directory in the backups field.wp-config.php, .htaccess, or security plugin files coinciding with attachment deletion events; absence of files that should exist in the WordPress root or core directories.wp_postmeta where meta_key = 'image_optimizer_metadata' contain absolute paths (e.g., /var/www/, /etc/, /home/) in the backups array rather than paths within wp-content/uploads/.delete_attachment events by Author-level users shortly after post meta edits on the same attachment.Update the Image Optimizer plugin to a version newer than 1.7.4, which contains a fix for this vulnerability (changeset 3557772 in the WordPress plugin repository). As a workaround prior to patching, restrict Custom Fields editing permissions so that Author-level users cannot modify post meta on attachments, or disable the backup feature of the plugin entirely. Site administrators should also audit existing image_optimizer_metadata post meta entries for any suspicious absolute file paths and review file system integrity (WordPress Trac Changeset, Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."