CVE-2026-32415

Squeeze <= 1.7.7 - Authenticated (Subscriber+) Directory Traversal

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.7.8
Patched in
70d
Time to patch

Description

The Squeeze – Image Optimization & Compression, WEBP Conversion plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.7
PublishedFebruary 25, 2026
Last updatedMay 5, 2026
Affected pluginsqueeze

What Changed in the Fix

Changes introduced in v1.7.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Options.nonce`. Wait, I'll focus on `squeeze_get_directories` first as it's the most direct "Directory Traversal" (browsing). If that works, the "Integrity" part might come from `squeeze_update_attachment` allowing a Subscriber to overwrite files. Actually, let's look at the description ag…

Show full research plan

Options.nonce`.

Wait, I'll focus on `squeeze_get_directories` first as it's the most direct "Directory Traversal" (browsing). If that works, the "Integrity" part might come from `squeeze_update_attachment` allowing a Subscriber to overwrite files.

Actually, let's look at the description again. "Directory Traversal... perform actions on files".
This strongly suggests we can manipulate files.
If `squeeze_get_directories` is the entry point, it probably returns a list of files in a directory.
If `squeeze_update_attachment` is the entry point, it writes to a file.

Let's check the CVSS: `I:L`. This means we can change something but not fully control the system. Overwriting a file with image data fits this.

1.  Create Subscriber.
2.  Get Nonce from `squeezeOptions.nonce`.
3.  Call `squeeze_get_directories` with `path=/`. This will likely show the root directory if vulnerable.
4.  Call `squeeze_update_attachment` with `filename=../../../traversal.txt` to test write capability.

Wait, `get_directories` is more likely to be the one missing the check because it's a "helper" function.
In `inc/handlers.php`:
```php
add_action( 'wp_ajax_squeeze_get_directories', [$this, 'get
Research Findings
Static analysis — not yet PoC-verified

Summary

The Squeeze plugin for WordPress (up to version 1.7.7) is vulnerable to directory traversal because its AJAX handlers, specifically `squeeze_get_directories`, do not implement proper capability checks or path validation. This allows authenticated attackers with Subscriber-level permissions or higher to browse arbitrary directories and potentially interact with sensitive files on the server.

Vulnerable Code

// inc/handlers.php line 17
add_action( 'wp_ajax_squeeze_get_directories', [$this, 'get_directories'] );

---

// inc/handlers.php (Function logic inferred from analysis of similar handlers and research plan)
public function get_directories() {
    check_ajax_referer( 'squeeze-nonce', '_ajax_nonce' );
    $path = ( isset( $_POST["path"] ) ? sanitize_text_field( wp_unslash( $_POST["path"] ) ) : '' );
    // Missing: if ( !current_user_can( 'upload_files' ) ) { ... }
    // Missing: if ( validate_file( $path ) !== 0 ) { ... }
    // The plugin proceeds to use the $path parameter to list file system contents.
}

Security Fix

--- inc/handlers.php
+++ inc/handlers.php
@@ -107,6 +107,13 @@
     public function get_directories() {
         check_ajax_referer( 'squeeze-nonce', '_ajax_nonce' );
+
+        if ( ! current_user_can( 'upload_files' ) ) {
+            wp_send_json_error( 'Permission denied' );
+        }
+
         $path = ( isset( $_POST["path"] ) ? sanitize_text_field( wp_unslash( $_POST["path"] ) ) : '' );
+
+        if ( validate_file( $path ) !== 0 ) {
+            wp_send_json_error( 'Invalid path' );
+        }
+

Exploit Outline

1. Login to the WordPress site as a user with Subscriber-level access. 2. Locate the 'squeeze-nonce' in the page source of any admin-related page (e.g., /wp-admin/profile.php) where the plugin localizes its settings into the `squeezeOptions` JavaScript object. 3. Send a POST request to `/wp-admin/admin-ajax.php` with the following parameters: - `action`: `squeeze_get_directories` - `_ajax_nonce`: [Extracted Nonce] - `path`: A traversal string such as `/` or `../../` to escape the intended directory. 4. Observe the response containing a listing of the directory contents from the server's file system.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.