Search
Search Results (2 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-7311 | 2 Tinypng, Wordpress | 2 Tinypng – Jpeg, Png & Webp Image Compression, Wordpress | 2026-07-06 | 8.1 High |
| The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can exploit this by injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta on an attachment they own, then triggering attachment deletion to invoke the vulnerable code path. | ||||
| CVE-2024-47635 | 1 Tinypng | 1 Tinypng | 2026-04-23 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in TinyPNG TinyPNG tiny-compress-images allows Cross Site Request Forgery.This issue affects TinyPNG: from n/a through <= 3.4.3. | ||||
Page 1 of 1.