CVE-2026-7311
TinyPNG · JPEG, PNG & WebP image compression plugin
The TinyPNG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient input validation within the delete_converted_image_size function.
Executive summary
A critical arbitrary file deletion vulnerability in the TinyPNG WordPress plugin exposes the underlying server filesystem to unauthorized modification and potential service disruption.
Vulnerability
The plugin fails to adequately sanitize user-supplied input within the delete_converted_image_size function. This allows an authenticated attacker with sufficient privileges to delete arbitrary files on the web server.
Business impact
The ability for an attacker to delete arbitrary files poses a severe risk to system integrity and availability. An attacker could remove critical configuration files, core WordPress files, or security-related logs, potentially leading to a complete denial-of-service or facilitating further system compromise. With a CVSS score of 8.1, this high-severity flaw requires immediate attention to prevent operational downtime.
Remediation
Immediate Action: Update the TinyPNG plugin to the latest available version provided by the vendor to implement proper path validation.
Proactive Monitoring: Monitor server file system activity logs for unauthorized deletion attempts or access patterns targeting sensitive directories.
Compensating Controls: Implement file integrity monitoring (FIM) and ensure the web server service account operates with the principle of least privilege regarding filesystem permissions.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The severity of this vulnerability necessitates prompt remediation. Administrators should verify their current plugin version and apply updates immediately. If a patch is not yet available, consider disabling the plugin until a secure version is released to mitigate the risk of filesystem manipulation.