Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint
Description
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.3.2Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-13750 ## 1. Vulnerability Summary The **Converter for Media** plugin for WordPress is vulnerable to an **Insecure Direct Object Reference (IDOR)** via missing authorization on its REST API endpoint `/webp-converter/v1/regenerate-attachment`. While the endpoint…
Show full research plan
Exploitation Research Plan: CVE-2025-13750
1. Vulnerability Summary
The Converter for Media plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via missing authorization on its REST API endpoint /webp-converter/v1/regenerate-attachment. While the endpoint is intended for administrative use to refresh optimized image versions, it fails to implement a proper capability check (e.g., current_user_can('manage_options')). This allow any authenticated user, including those with Subscriber roles, to trigger the deletion of optimized WebP or AVIF variants for arbitrary media attachments by providing their ID.
2. Attack Vector Analysis
- Endpoint:
/wp-json/webp-converter/v1/regenerate-attachment - Method:
POST(Inferred based on standard WordPress REST API patterns for actions that modify data). - Authentication Required: Subscriber level (
PR:L). - Vulnerable Parameter:
id(The ID of the attachment to target). - Payload Type: JSON or URL-encoded.
- Preconditions:
- The plugin must be active and have processed at least one image (generating optimized WebP/AVIF files).
- The attacker must know or brute-force an existing attachment ID.
3. Code Flow (Inferred)
- Route Registration: The plugin registers the REST route during
rest_api_init.- Likely file:
src/Rest/RegenerateAttachmentEndpoint.phpor similar class in thesrc/Restdirectory. - Vulnerable code:
register_rest_routelikely uses'permission_callback' => '__return_true'oris_user_logged_ininstead of checking for administrative capabilities.
- Likely file:
- Request Handling: The controller function (e.g.,
handle_request) extracts theidparameter from theWP_REST_Request. - Data Modification: The plugin calls an internal method (likely in an image processor class) that identifies the optimized file paths for the given
idand deletes them from the filesystem (e.g., inwp-content/uploads-webpc/).
4. Nonce Acquisition Strategy
The WordPress REST API requires a wp_rest nonce for all non-GET requests performed by authenticated users to prevent CSRF.
- Access Point: A Subscriber user can access the standard WordPress profile page (
/wp-admin/profile.php). - Extraction: WordPress core automatically localizes the REST nonce for logged-in users in the
wpApiSettingsobject. - Command: Use the
browser_evaltool after navigating to any admin page:browser_eval("window.wpApiSettings?.nonce")
- Action String: The action string for this nonce is always
wp_rest.
5. Exploitation Strategy
- Authentication: Authenticate as a Subscriber user using the
browser_navigateandbrowser_typetools. - Nonce Retrieval: Use
browser_evalto extract thewp_restnonce as described above. - Target Identification: Identify a target attachment ID (e.g., ID 1).
- Trigger Deletion: Send an authorized POST request to the REST endpoint using the
http_requesttool.
Example Request:
POST /wp-json/webp-converter/v1/regenerate-attachment HTTP/1.1
Host: localhost:8080
Content-Type: application/json
X-WP-Nonce: [EXTRACTED_NONCE]
{
"id": 1
}
6. Test Data Setup
- Install Plugin: Install and activate
webp-converter-for-mediaversion 6.3.2. - Configure Plugin: Ensure the plugin is configured to optimize images (Settings > Converter for Media).
- Upload Image: Upload a sample image (e.g.,
test.jpg) to the Media Library. Note its ID (usually 1 if it's the first upload). - Optimize: Ensure the plugin has generated a WebP version of the image. Verify the existence of the file in
/var/www/html/wp-content/uploads-webpc/uploads/.../test.jpg.webp. - Create User: Create a user with the Subscriber role.
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
7. Expected Results
- HTTP Response: The server should return a
200 OKor201 Createdstatus code, potentially with a JSON response confirming the action. - Filesystem Impact: The optimized WebP or AVIF file associated with the attachment ID in the
uploads-webpcdirectory will be deleted.
8. Verification Steps
- Check Filesystem: Use
lsor a similar check to see if the optimized file still exists.wp eval "echo file_exists(ABSPATH . 'wp-content/uploads-webpc/...') ? 'Exists' : 'Deleted';"
- Check Plugin Metadata: Check if the plugin's metadata for that attachment has been updated or removed.
wp post list --post_type=attachment --p=1
- Verify Non-Admin Status: Confirm the exploit was performed with the Subscriber session and not a higher privilege account.
9. Alternative Approaches
- URL-Encoded Body: If the JSON payload is rejected, try
Content-Type: application/x-www-form-urlencodedwithid=1in the body. - Query Parameters: Try passing the ID as a query parameter:
/wp-json/webp-converter/v1/regenerate-attachment?id=1. - Different Methods: If
POSTis not accepted, testDELETEorPUT. - ID Discovery: If attachment IDs are unknown, use the
wp-json/wp/v2/mediaendpoint (if public) to list available IDs.
Summary
The Converter for Media plugin for WordPress fails to properly restrict access to its image regeneration REST API endpoint. This allows authenticated users with low-level privileges, such as Subscribers, to trigger the deletion of optimized WebP and AVIF image variants for any attachment by its ID.
Vulnerable Code
/* src/Rest/RegenerateAttachmentEndpoint.php (Inferred) */ register_rest_route('webp-converter/v1', '/regenerate-attachment', [ 'methods' => 'POST', 'callback' => [$this, 'handle_request'], 'permission_callback' => function () { return is_user_logged_in(); }, ]);
Security Fix
@@ -10,7 +10,7 @@ 'methods' => 'POST', 'callback' => [ $this, 'handle_request' ], 'permission_callback' => function () { - return is_user_logged_in(); + return current_user_can( 'manage_options' ); }, ] );
Exploit Outline
To exploit this vulnerability, an attacker first authenticates to the WordPress site as a Subscriber. They then extract the required 'wp_rest' nonce from the localized 'wpApiSettings' JavaScript object available on the profile page. Finally, the attacker sends a POST request to the '/wp-json/webp-converter/v1/regenerate-attachment' endpoint with the 'X-WP-Nonce' header and a JSON payload specifying the 'id' of the media attachment whose optimized versions they wish to delete.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.