PT-2025-51816 · WordPress · Converter For Media+1
Marcin Dudek
·
Published
2025-12-17
·
Updated
2025-12-17
·
CVE-2025-13750
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress versions up to and including 6.3.2
Description
The plugin is susceptible to unauthorized data modification because of a missing capability check on the
/webp-converter/v1/regenerate-attachment REST endpoint. This allows authenticated attackers with Subscriber-level access or higher to delete optimized WebP/AVIF variants for any attachment. The affected API endpoint is /webp-converter/v1/regenerate-attachment.Recommendations
Versions prior to and including 6.3.2 should be updated.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Converter For Media
Converter For Media – Optimize Images