CVE-2026-42756

QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly <= 3.2.7 - Authenticated (Contributor+) Arbitrary File Deletion

highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8.1
CVSS Score
8.1
CVSS Score
high
Severity
3.2.8
Patched in
13d
Time to patch

Description

The QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.2.7
PublishedMay 20, 2026
Last updatedJune 2, 2026
Affected pluginquickwebp

What Changed in the Fix

Changes introduced in v3.2.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-42756 ## 1. Vulnerability Summary The **QuickWebP** plugin for WordPress (up to version 3.2.7) is vulnerable to **Authenticated Arbitrary File Deletion** via path traversal. The vulnerability exists because the plugin fails to properly validate or sanitize fi…

Show full research plan

Exploitation Research Plan - CVE-2026-42756

1. Vulnerability Summary

The QuickWebP plugin for WordPress (up to version 3.2.7) is vulnerable to Authenticated Arbitrary File Deletion via path traversal. The vulnerability exists because the plugin fails to properly validate or sanitize file paths provided in AJAX requests before passing them to a file deletion function (likely unlink()). While the plugin is designed to allow users to "undo" image optimizations by deleting generated WebP files, a Contributor-level attacker can provide a manipulated path (e.g., using ../) to delete sensitive system files, including wp-config.php.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: quickwebp_undo_single_optimization (inferred from the button class quickwebp-undo-single-optimization-btn in admin/class-wp-media-extends.php)
  • HTTP Parameter: path or file (inferred; most likely path)
  • Required Nonce: quickwebp_admin_attachment (localized as QUICKWEBP_ADMIN_ATTACHMENT.nonce)
  • Authentication: Authenticated, Contributor-level access or higher.
  • Preconditions: The attacker must be able to access the WordPress admin dashboard (default for Contributors) to retrieve the nonce.

3. Code Flow

  1. Entry Point: A logged-in user (Contributor+) sends a POST request to admin-ajax.php with the action quickwebp_undo_single_optimization.
  2. Nonce Verification: The handler verifies the nonce using check_ajax_referer( 'quickwebp_admin_attachment', 'nonce' ).
  3. Parameter Processing: The handler retrieves a file path from the $_POST array (e.g., $_POST['path']).
  4. Vulnerable Sink: The handler passes this path directly to a file system operation like unlink() or a wrapper function without checking if the path is restricted to the uploads directory.
  5. Traversal: By using ../../../../wp-config.php, the attacker escapes the intended directory and deletes the site configuration.

4. Nonce Acquisition Strategy

The nonce is localized for the script quickwebp-admin-attachment and is available on pages where the WordPress Media Library or post editor is loaded.

  1. Access Admin: Log in as a Contributor and navigate to the Media Library (/wp-admin/upload.php).
  2. Extract Nonce: The nonce is stored in the global JavaScript object QUICKWEBP_ADMIN_ATTACHMENT.
  3. Execution:
    // Run this via browser_eval
    window.QUICKWEBP_ADMIN_ATTACHMENT?.nonce
    

5. Exploitation Strategy

The goal is to delete wp-config.php to force WordPress into the setup/install phase.

Step 1: Preliminary Environment Check

Verify the target file exists:

  • ls /var/www/html/wp-config.php

Step 2: Nonce Retrieval

  1. Navigate to /wp-admin/upload.php using browser_navigate.
  2. Extract the nonce: NONCE = browser_eval("window.QUICKWEBP_ADMIN_ATTACHMENT.nonce").

Step 3: Execution of File Deletion

Send the malicious AJAX request using the http_request tool.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: `POST

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.