CVE-2026-7311 - TinyPNG <= 3.6.13 - Authenticated (Author+) Arbitrary File Deletion via 'convert.path' in 'tiny_compress_images' Post Meta
CVE ID :CVE-2026-7311 Published : July 2, 2026, 6:32 p.m. | 4 hours, 41 minutes ago Description :The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function...