{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15158", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-27T19:08:50.291Z", "datePublished": "2026-01-07T08:21:56.508Z", "dateUpdated": "2026-04-08T17:34:21.834Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:21.834Z"}, "affected": [{"vendor": "eastsidecode", "product": "WP Enable WebP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2026-01-06T19:45:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:46:47.338461Z", "id": "CVE-2025-15158", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:12:13.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15158", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-07T14:46:47.338461Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:46:49.732Z"}}], "cna": {"title": "WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "eastsidecode", "product": "WP Enable WebP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T19:45:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43"}], "descriptions": [{"lang": "en", "value": "The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:21.834Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15158", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:21.834Z", "dateReserved": "2025-12-27T19:08:50.291Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T08:21:56.508Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-15158", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:59.160", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:16:37.360922+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Enable WebP plugin to the latest version that implements proper file type validation, if one is available.", "If an upgrade cannot be applied immediately, disable or remove the plugin\u2019s file upload functionality or uninstall the plugin entirely until the issue is resolved.", "Apply server\u2011side validation in addition to any existing checks: verify MIME type and file extension, and block uploads of executable file types such as .php, .phtml, or .exe."], "summary": {"action": "Immediate Patch", "impact": "Authenticated Arbitrary File Upload leading to Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is WP Enable WebP from eastsidecode. All releases dating from the first version through 1.0 are vulnerable; no fix is provided in version 1.0 and later releases have not been listed yet.", "description_and_impact": "The WP Enable WebP plugin for WordPress suffers from improper file type validation in its upload functionality. An authenticated user with Author or higher privileges can upload arbitrary files to the server. If the attacker uploads a file capable of being executed, such as a PHP script, remote code execution may be achieved. The weakness is classified as CWE\u2011434. The vulnerability is present in all plugin versions up to and including 1.0.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while the EPSS score of under 1% suggests a low yet non\u2011zero exploitation probability in the general population. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Author or stronger role, an opportunity that many WordPress sites grant to content authors. An attacker could exploit the upload endpoint to place malicious files on the server and potentially execute them, thereby compromising confidentiality, integrity, and availability of the site."}}}}, "created": "2026-01-08T09:49:35.436670+00:00", "updated": "2026-04-20T21:30:18.562617+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}