QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly <= 3.2.7 - Authenticated (Contributor+) Arbitrary File Deletion
Description
The QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HTechnical Details
What Changed in the Fix
Changes introduced in v3.2.8
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-42756 ## 1. Vulnerability Summary The **QuickWebP** plugin for WordPress (up to version 3.2.7) is vulnerable to **Authenticated Arbitrary File Deletion** via path traversal. The vulnerability exists because the plugin fails to properly validate or sanitize fi…
Show full research plan
Exploitation Research Plan - CVE-2026-42756
1. Vulnerability Summary
The QuickWebP plugin for WordPress (up to version 3.2.7) is vulnerable to Authenticated Arbitrary File Deletion via path traversal. The vulnerability exists because the plugin fails to properly validate or sanitize file paths provided in AJAX requests before passing them to a file deletion function (likely unlink()). While the plugin is designed to allow users to "undo" image optimizations by deleting generated WebP files, a Contributor-level attacker can provide a manipulated path (e.g., using ../) to delete sensitive system files, including wp-config.php.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
quickwebp_undo_single_optimization(inferred from the button classquickwebp-undo-single-optimization-btninadmin/class-wp-media-extends.php) - HTTP Parameter:
pathorfile(inferred; most likelypath) - Required Nonce:
quickwebp_admin_attachment(localized asQUICKWEBP_ADMIN_ATTACHMENT.nonce) - Authentication: Authenticated, Contributor-level access or higher.
- Preconditions: The attacker must be able to access the WordPress admin dashboard (default for Contributors) to retrieve the nonce.
3. Code Flow
- Entry Point: A logged-in user (Contributor+) sends a POST request to
admin-ajax.phpwith the actionquickwebp_undo_single_optimization. - Nonce Verification: The handler verifies the nonce using
check_ajax_referer( 'quickwebp_admin_attachment', 'nonce' ). - Parameter Processing: The handler retrieves a file path from the
$_POSTarray (e.g.,$_POST['path']). - Vulnerable Sink: The handler passes this path directly to a file system operation like
unlink()or a wrapper function without checking if the path is restricted to the uploads directory. - Traversal: By using
../../../../wp-config.php, the attacker escapes the intended directory and deletes the site configuration.
4. Nonce Acquisition Strategy
The nonce is localized for the script quickwebp-admin-attachment and is available on pages where the WordPress Media Library or post editor is loaded.
- Access Admin: Log in as a Contributor and navigate to the Media Library (
/wp-admin/upload.php). - Extract Nonce: The nonce is stored in the global JavaScript object
QUICKWEBP_ADMIN_ATTACHMENT. - Execution:
// Run this via browser_eval window.QUICKWEBP_ADMIN_ATTACHMENT?.nonce
5. Exploitation Strategy
The goal is to delete wp-config.php to force WordPress into the setup/install phase.
Step 1: Preliminary Environment Check
Verify the target file exists:
ls /var/www/html/wp-config.php
Step 2: Nonce Retrieval
- Navigate to
/wp-admin/upload.phpusingbrowser_navigate. - Extract the nonce:
NONCE = browser_eval("window.QUICKWEBP_ADMIN_ATTACHMENT.nonce").
Step 3: Execution of File Deletion
Send the malicious AJAX request using the http_request tool.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: `POST
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.