CVE-2026-5821
Image Optimizer · Image Optimizer – Optimize Images and Convert to WebP or AVIF
The Image Optimizer plugin for WordPress contains a vulnerability allowing for arbitrary file deletion due to inadequate path validation.
Executive summary
An arbitrary file deletion flaw in the Image Optimizer plugin for WordPress risks critical data loss and server instability through unauthorized filesystem access.
Vulnerability
The vulnerability stems from improper validation of file paths during image processing operations. An attacker can leverage this flaw to delete files outside of the intended directory, provided they have sufficient authentication levels.
Business impact
Successful exploitation allows an attacker to delete mission-critical system files, potentially rendering the website or the underlying host server inoperable. Given the CVSS score of 8.1, this vulnerability presents a significant risk to the availability and reliability of the WordPress environment, which could result in prolonged business interruption.
Remediation
Immediate Action: Update the Image Optimizer plugin to the latest version immediately upon the release of a security patch by the vendor.
Proactive Monitoring: Review web server access logs for anomalous requests that deviate from normal plugin behavior, specifically those targeting file deletion endpoints.
Compensating Controls: Utilize a Web Application Firewall (WAF) to block requests containing directory traversal sequences or suspicious path parameters.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for permanent data loss and service disruption, administrators are strongly advised to prioritize this update. Ensure that the plugin is kept up to date and audit the environment for any signs of unauthorized file manipulation.