WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-22
WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

A critical vulnerability, tracked as CVE-2026-7252, has been identified in the WP-Optimize plugin for WordPress, impacting all versions up to and including 4.5.2. The National Vulnerability Database reports that this flaw stems from insufficient file path validation within the unscheduled_original_file_deletion function. This oversight allows authenticated attackers with author-level access or higher to delete arbitrary files on the server.

The core issue lies with the ‘original-file’ meta key, which is publicly accessible and not prefixed with an underscore. This design choice enables authors to freely create or modify this key on their attachment posts via the standard Edit Media form or the REST API. This level of control over file deletion can easily escalate to remote code execution (RCE), particularly if critical files like wp-config.php are targeted and removed.

With a CVSS score of 8.1 (HIGH), this vulnerability presents a significant risk. Attackers leveraging this flaw don’t need highly privileged accounts; authors are common roles on most WordPress sites. The ability to delete arbitrary files, especially configuration files, is a direct path to disrupting site operations, gaining further access, or achieving full system compromise.

What This Means For You

  • If your WordPress site uses the WP-Optimize plugin, you need to assess your risk immediately. Prioritize patching to version 4.5.3 or later. Review user roles and permissions, ensuring no unnecessary author-level access is granted. Audit your `wp-config.php` file integrity and have robust backups in place. This isn't just about a plugin; it's about a foundational RCE vector.

Related ATT&CK Techniques

T1566.002 Phishing: Spearphishing Attachment Initial Access T1078.004 Valid Accounts: Web Services Initial Access T1490 Inhibit System Recovery Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1490 Impact

CVE-2026-7252 - WP-Optimize Arbitrary File Deletion via wp-config.php

Sigma YAML — free preview 
title: CVE-2026-7252 - WP-Optimize Arbitrary File Deletion via wp-config.php
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects the deletion of wp-config.php, a critical file for WordPress, which can be achieved by authenticated attackers (author role and above) exploiting CVE-2026-7252 in the WP-Optimize plugin. This deletion can lead to remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7252/
tags:
  - attack.impact
  - attack.t1490
logsource:
    category: file_event
detection:
  selection:
      TargetFilename|contains:
          - '/wp-config.php'
      EventType|exact:
          - 'delete'
  selection_base:
      User|contains:
          - 'author'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7252 Arbitrary File Deletion WP-Optimize plugin for WordPress versions <= 4.5.2
CVE-2026-7252 Arbitrary File Deletion Vulnerable function: unscheduled_original_file_deletion
CVE-2026-7252 Arbitrary File Deletion Insufficient file path validation
CVE-2026-7252 RCE Deletion of wp-config.php via 'original-file' meta key
CVE-2026-7252 Auth Bypass Authenticated attackers with author-level access

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-4348: Unauthenticated SQLi in BetterDocs Pro WordPress Plugin

CVE-2026-4348 — The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to,...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 3 Sigma