Tinypng Jpeg Png Webp Image Compression
Monthly
Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).
Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).