TinyPNG <= 3.6.13 - Authenticated (Author+) Arbitrary File Deletion via 'convert.path' in 'tiny_compress_images' Post Meta

2026-07-02 05:38
lhking

Strategic Overview

Status
Patched in 3.6.14
Affected Version<= 3.6.13
CVSS8.1High
CVECVE-2026-7311
View all TinyPNG – JPEG, PNG & WebP image compression vulnerabilities

Vulnerability Overview

The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can exploit this by injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta on an attachment they own, then triggering attachment deletion to invoke the vulnerable code path.

Technical Analysis

REMEDIATION: Update to version 3.6.14, or a newer patched version --- IDENTIFIER: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

TinyPNG <= 3.6.13 - Authenticated (Author+) Arbitrary File Deletion via 'convert.path' in 'tiny_compress_images' Post Meta (CVE-2026-7311)