CVE-2026-7311

TinyPNG · JPEG, PNG & WebP image compression plugin

The TinyPNG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient input validation within the delete_converted_image_size function.

Executive summary

A critical arbitrary file deletion vulnerability in the TinyPNG WordPress plugin exposes the underlying server filesystem to unauthorized modification and potential service disruption.

Vulnerability

The plugin fails to adequately sanitize user-supplied input within the delete_converted_image_size function. This allows an authenticated attacker with sufficient privileges to delete arbitrary files on the web server.

Business impact

The ability for an attacker to delete arbitrary files poses a severe risk to system integrity and availability. An attacker could remove critical configuration files, core WordPress files, or security-related logs, potentially leading to a complete denial-of-service or facilitating further system compromise. With a CVSS score of 8.1, this high-severity flaw requires immediate attention to prevent operational downtime.

Remediation

Immediate Action: Update the TinyPNG plugin to the latest available version provided by the vendor to implement proper path validation.

Proactive Monitoring: Monitor server file system activity logs for unauthorized deletion attempts or access patterns targeting sensitive directories.

Compensating Controls: Implement file integrity monitoring (FIM) and ensure the web server service account operates with the principle of least privilege regarding filesystem permissions.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this vulnerability necessitates prompt remediation. Administrators should verify their current plugin version and apply updates immediately. If a patch is not yet available, consider disabling the plugin until a secure version is released to mitigate the risk of filesystem manipulation.