Primary

Context

WordPress WebP Converter Plugin Missing Authorization Vulnerability Allows Unauthorized Image Deletion

Vulnerability

Patched

A vulnerability exists in the WordPress WebP Converter for Media plugin, specifically in versions 6.3.2 and prior. The issue arises from a lack of proper capability checks on the '/webp-converter/v1/regenerate-attachment' REST endpoint. This flaw enables authenticated attackers with Subscriber-level access or higher to delete optimized WebP and AVIF versions of attachments.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of optimized WebP and AVIF image variants from the WordPress media library.

Remediation

Users are advised to update the WebP Converter for Media plugin to version 6.4.0 or later.

Added: Dec 17, 2025, 7:20 AM

Updated: Dec 17, 2025, 7:20 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

1.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

1.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress WebP Converter Plugin Missing Authorization Vulnerability Allows Unauthorized Image Deletion

Vulnerability

Impact

Remediation

Affected Products

Converter for Media

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating