[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKBPYdAG0wRye-_nt8Mzk-HSAl0Sn9K4xn1l7ioGkEKE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-42756","quickwebp-compress-optimize-images-convert-webp-seo-friendly-authenticated-contributor-arbitrary-file-deletion","QuickWebP – Compress \u002F Optimize Images & Convert WebP | SEO Friendly \u003C= 3.2.7 - Authenticated (Contributor+) Arbitrary File Deletion","The QuickWebP – Compress \u002F Optimize Images & Convert WebP | SEO Friendly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","quickwebp",null,"\u003C=3.2.7","3.2.8","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-05-20 00:00:00","2026-06-02 11:18:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7f910193-9ecc-45eb-b820-adf0da36fa76?source=api-prod",13,[22,23,24,25],"README.txt","admin\u002Fclass-image-optimizer.php","admin\u002Fclass-wp-media-extends.php","quickwebp.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-42756\n\n## 1. Vulnerability Summary\nThe **QuickWebP** plugin for WordPress (up to version 3.2.7) is vulnerable to **Authenticated Arbitrary File Deletion** via path traversal. The vulnerability exists because the plugin fails to properly validate or sanitize file paths provided in AJAX requests before passing them to a file deletion function (likely `unlink()`). While the plugin is designed to allow users to \"undo\" image optimizations by deleting generated WebP files, a Contributor-level attacker can provide a manipulated path (e.g., using `..\u002F`) to delete sensitive system files, including `wp-config.php`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `quickwebp_undo_single_optimization` (inferred from the button class `quickwebp-undo-single-optimization-btn` in `admin\u002Fclass-wp-media-extends.php`)\n- **HTTP Parameter**: `path` or `file` (inferred; most likely `path`)\n- **Required Nonce**: `quickwebp_admin_attachment` (localized as `QUICKWEBP_ADMIN_ATTACHMENT.nonce`)\n- **Authentication**: Authenticated, Contributor-level access or higher.\n- **Preconditions**: The attacker must be able to access the WordPress admin dashboard (default for Contributors) to retrieve the nonce.\n\n## 3. Code Flow\n1. **Entry Point**: A logged-in user (Contributor+) sends a POST request to `admin-ajax.php` with the action `quickwebp_undo_single_optimization`.\n2. **Nonce Verification**: The handler verifies the nonce using `check_ajax_referer( 'quickwebp_admin_attachment', 'nonce' )`.\n3. **Parameter Processing**: The handler retrieves a file path from the `$_POST` array (e.g., `$_POST['path']`).\n4. **Vulnerable Sink**: The handler passes this path directly to a file system operation like `unlink()` or a wrapper function without checking if the path is restricted to the uploads directory.\n5. **Traversal**: By using `..\u002F..\u002F..\u002F..\u002Fwp-config.php`, the attacker escapes the intended directory and deletes the site configuration.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the script `quickwebp-admin-attachment` and is available on pages where the WordPress Media Library or post editor is loaded.\n\n1. **Access Admin**: Log in as a Contributor and navigate to the Media Library (`\u002Fwp-admin\u002Fupload.php`).\n2. **Extract Nonce**: The nonce is stored in the global JavaScript object `QUICKWEBP_ADMIN_ATTACHMENT`.\n3. **Execution**:\n   ```javascript\n   \u002F\u002F Run this via browser_eval\n   window.QUICKWEBP_ADMIN_ATTACHMENT?.nonce\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to delete `wp-config.php` to force WordPress into the setup\u002Finstall phase.\n\n### Step 1: Preliminary Environment Check\nVerify the target file exists:\n- `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php`\n\n### Step 2: Nonce Retrieval\n1. Navigate to `\u002Fwp-admin\u002Fupload.php` using `browser_navigate`.\n2. Extract the nonce: `NONCE = browser_eval(\"window.QUICKWEBP_ADMIN_ATTACHMENT.nonce\")`.\n\n### Step 3: Execution of File Deletion\nSend the malicious AJAX request using the `http_request` tool.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST","gemini-3-flash-preview","2026-06-04 22:35:09","2026-06-04 22:36:39",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquickwebp\u002Ftags\u002F3.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquickwebp.3.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquickwebp\u002Ftags\u002F3.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquickwebp.3.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquickwebp\u002Ftags"]