{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13750", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-26T16:51:27.349Z", "datePublished": "2025-12-17T06:36:59.567Z", "dateUpdated": "2026-04-08T17:11:00.573Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:00.573Z"}, "affected": [{"vendor": "mateuszgbiorczyk", "product": "Converter for Media \u2013 Optimize images | Convert WebP & AVIF", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Converter for Media \u2013 Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments."}], "title": "Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "timeline": [{"time": "2025-12-08T20:35:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T18:33:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T21:39:29.484138Z", "id": "CVE-2025-13750", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:40:05.439Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13750", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T21:39:29.484138Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:39:37.444Z"}}], "cna": {"title": "Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint", "credits": [{"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "mateuszgbiorczyk", "product": "Converter for Media \u2013 Optimize images | Convert WebP & AVIF", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-08T20:35:33.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T18:33:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media"}], "descriptions": [{"lang": "en", "value": "The Converter for Media \u2013 Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:00.573Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13750", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:00.573Z", "dateReserved": "2025-11-26T16:51:27.349Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T06:36:59.567Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Converter for Media \u2013 Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments."}], "id": "CVE-2025-13750", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T07:15:58.293", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:02:37.483302+00:00", "value": {"mitigation_remediation": ["Update the Converter for Media plugin to the latest version, which removes the unauthorized deletion flaw.", "If an update cannot be applied immediately, restrict the capability required for Subscriber-level users or remove the regenerate-attachment REST endpoint using a firewall or role management plugin to prevent exploitation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized deletion of optimized images"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Converter for Media \u2013 Optimize images | Convert WebP & AVIF plugin, version 6.3.2 or earlier, provided by the vendor mateuszgbiorczyk. All installations of these versions are affected until the plugin is upgraded beyond 6.3.2.", "description_and_impact": "The Converter for Media \u2013 Optimize images | Convert WebP & AVIF plugin for WordPress contains a missing capability check on its REST endpoint /webp-converter/v1/regenerate-attachment. This flaw allows any authenticated user with Subscriber-level access or higher to delete the optimized WebP or AVIF versions of any attachment, effectively removing the performance benefits of the plugin. The weakness aligns with the Missing Authorization (CWE-862).", "risk_and_exploitability": "The vulnerability scores a CVSS of 4.3, indicating medium severity, and has an EPSS value of less than 1%, suggesting a low probability of exploitation at the current time. It is not listed in the CISA KEV catalog. An attacker who is authenticated and holds a Subscriber role or higher can exploit the lack of authorization by sending a request to the exposed REST endpoint, resulting in unauthorized deletion of optimized image data. While the attack requires credentials, the lack of role verification makes the exploitation relatively straightforward for legitimate users."}}}}, "created": "2025-12-17T14:28:28.969597+00:00", "updated": "2026-04-21T17:15:25.326365+00:00", "vendors": ["mateuszgbiorczyk", "mateuszgbiorczyk$PRODUCT$converter_for_media", "wordpress", "wordpress$PRODUCT$wordpress"]}