CVE-2025-13750

Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
6.4.0
Patched in
1d
Time to patch

Description

The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.3.2
PublishedDecember 16, 2025
Last updatedDecember 17, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-13750 ## 1. Vulnerability Summary The **Converter for Media** plugin for WordPress is vulnerable to an **Insecure Direct Object Reference (IDOR)** via missing authorization on its REST API endpoint `/webp-converter/v1/regenerate-attachment`. While the endpoint…

Show full research plan

Exploitation Research Plan: CVE-2025-13750

1. Vulnerability Summary

The Converter for Media plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via missing authorization on its REST API endpoint /webp-converter/v1/regenerate-attachment. While the endpoint is intended for administrative use to refresh optimized image versions, it fails to implement a proper capability check (e.g., current_user_can('manage_options')). This allow any authenticated user, including those with Subscriber roles, to trigger the deletion of optimized WebP or AVIF variants for arbitrary media attachments by providing their ID.

2. Attack Vector Analysis

  • Endpoint: /wp-json/webp-converter/v1/regenerate-attachment
  • Method: POST (Inferred based on standard WordPress REST API patterns for actions that modify data).
  • Authentication Required: Subscriber level (PR:L).
  • Vulnerable Parameter: id (The ID of the attachment to target).
  • Payload Type: JSON or URL-encoded.
  • Preconditions:
    • The plugin must be active and have processed at least one image (generating optimized WebP/AVIF files).
    • The attacker must know or brute-force an existing attachment ID.

3. Code Flow (Inferred)

  1. Route Registration: The plugin registers the REST route during rest_api_init.
    • Likely file: src/Rest/RegenerateAttachmentEndpoint.php or similar class in the src/Rest directory.
    • Vulnerable code: register_rest_route likely uses 'permission_callback' => '__return_true' or is_user_logged_in instead of checking for administrative capabilities.
  2. Request Handling: The controller function (e.g., handle_request) extracts the id parameter from the WP_REST_Request.
  3. Data Modification: The plugin calls an internal method (likely in an image processor class) that identifies the optimized file paths for the given id and deletes them from the filesystem (e.g., in wp-content/uploads-webpc/).

4. Nonce Acquisition Strategy

The WordPress REST API requires a wp_rest nonce for all non-GET requests performed by authenticated users to prevent CSRF.

  1. Access Point: A Subscriber user can access the standard WordPress profile page (/wp-admin/profile.php).
  2. Extraction: WordPress core automatically localizes the REST nonce for logged-in users in the wpApiSettings object.
  3. Command: Use the browser_eval tool after navigating to any admin page:
    • browser_eval("window.wpApiSettings?.nonce")
  4. Action String: The action string for this nonce is always wp_rest.

5. Exploitation Strategy

  1. Authentication: Authenticate as a Subscriber user using the browser_navigate and browser_type tools.
  2. Nonce Retrieval: Use browser_eval to extract the wp_rest nonce as described above.
  3. Target Identification: Identify a target attachment ID (e.g., ID 1).
  4. Trigger Deletion: Send an authorized POST request to the REST endpoint using the http_request tool.

Example Request:

POST /wp-json/webp-converter/v1/regenerate-attachment HTTP/1.1
Host: localhost:8080
Content-Type: application/json
X-WP-Nonce: [EXTRACTED_NONCE]

{
  "id": 1
}

6. Test Data Setup

  1. Install Plugin: Install and activate webp-converter-for-media version 6.3.2.
  2. Configure Plugin: Ensure the plugin is configured to optimize images (Settings > Converter for Media).
  3. Upload Image: Upload a sample image (e.g., test.jpg) to the Media Library. Note its ID (usually 1 if it's the first upload).
  4. Optimize: Ensure the plugin has generated a WebP version of the image. Verify the existence of the file in /var/www/html/wp-content/uploads-webpc/uploads/.../test.jpg.webp.
  5. Create User: Create a user with the Subscriber role.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123

7. Expected Results

  • HTTP Response: The server should return a 200 OK or 201 Created status code, potentially with a JSON response confirming the action.
  • Filesystem Impact: The optimized WebP or AVIF file associated with the attachment ID in the uploads-webpc directory will be deleted.

8. Verification Steps

  1. Check Filesystem: Use ls or a similar check to see if the optimized file still exists.
    • wp eval "echo file_exists(ABSPATH . 'wp-content/uploads-webpc/...') ? 'Exists' : 'Deleted';"
  2. Check Plugin Metadata: Check if the plugin's metadata for that attachment has been updated or removed.
    • wp post list --post_type=attachment --p=1
  3. Verify Non-Admin Status: Confirm the exploit was performed with the Subscriber session and not a higher privilege account.

9. Alternative Approaches

  • URL-Encoded Body: If the JSON payload is rejected, try Content-Type: application/x-www-form-urlencoded with id=1 in the body.
  • Query Parameters: Try passing the ID as a query parameter: /wp-json/webp-converter/v1/regenerate-attachment?id=1.
  • Different Methods: If POST is not accepted, test DELETE or PUT.
  • ID Discovery: If attachment IDs are unknown, use the wp-json/wp/v2/media endpoint (if public) to list available IDs.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Converter for Media plugin for WordPress fails to properly restrict access to its image regeneration REST API endpoint. This allows authenticated users with low-level privileges, such as Subscribers, to trigger the deletion of optimized WebP and AVIF image variants for any attachment by its ID.

Vulnerable Code

/* src/Rest/RegenerateAttachmentEndpoint.php (Inferred) */

register_rest_route('webp-converter/v1', '/regenerate-attachment', [
    'methods'             => 'POST',
    'callback'            => [$this, 'handle_request'],
    'permission_callback' => function () {
        return is_user_logged_in();
    },
]);

Security Fix

--- a/src/Rest/RegenerateAttachmentEndpoint.php
+++ b/src/Rest/RegenerateAttachmentEndpoint.php
@@ -10,7 +10,7 @@
             'methods'             => 'POST',
             'callback'            => [ $this, 'handle_request' ],
             'permission_callback' => function () {
-                return is_user_logged_in();
+                return current_user_can( 'manage_options' );
             },
         ] );

Exploit Outline

To exploit this vulnerability, an attacker first authenticates to the WordPress site as a Subscriber. They then extract the required 'wp_rest' nonce from the localized 'wpApiSettings' JavaScript object available on the profile page. Finally, the attacker sends a POST request to the '/wp-json/webp-converter/v1/regenerate-attachment' endpoint with the 'X-WP-Nonce' header and a JSON payload specifying the 'id' of the media attachment whose optimized versions they wish to delete.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.