WP-Optimize WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the WP-Optimize WordPress plugin, specifically in versions through 4.5.2. This issue arises from inadequate validation of file paths in the 'unscheduled_original_file_deletion' function. The vulnerability enables authenticated attackers with author-level access or higher to delete arbitrary files on the server. Such actions could lead to remote code execution if critical files, like 'wp-config.php', are removed. The vulnerability exploits the 'original-file' meta key, which is publicly accessible, allowing authors to manipulate it through the Edit Media form or the REST API.

Impact

Successful exploitation allows authenticated users to delete arbitrary files on the server, potentially leading to remote code execution if a sensitive file is removed.

Reproduction

To reproduce this vulnerability, an authenticated user with author-level access can create or modify the 'original-file' meta key on their attachment posts. This can be done through the WordPress media editor or via the REST API. Once the meta key is set, the user can trigger the 'unscheduled_original_file_deletion' function, which will delete the specified file from the server.

Remediation

Users are advised to update the WP-Optimize plugin to version 4.5.3 or later.