CVE-2025-13750 - Vulnerability Details

- Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint

Description

The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.

Published: 2025-12-17

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress contains a missing capability check on its REST endpoint /webp-converter/v1/regenerate-attachment. This flaw allows any authenticated user with Subscriber-level access or higher to delete the optimized WebP or AVIF versions of any attachment, effectively removing the performance benefits of the plugin. The weakness aligns with the Missing Authorization (CWE-862).

Affected Systems

WordPress sites using the Converter for Media – Optimize images | Convert WebP & AVIF plugin, version 6.3.2 or earlier, provided by the vendor mateuszgbiorczyk. All installations of these versions are affected until the plugin is upgraded beyond 6.3.2.

Risk and Exploitability

The vulnerability scores a CVSS of 4.3, indicating medium severity, and has an EPSS value of less than 1%, suggesting a low probability of exploitation at the current time. It is not listed in the CISA KEV catalog. An attacker who is authenticated and holds a Subscriber role or higher can exploit the lack of authorization by sending a request to the exposed REST endpoint, resulting in unauthorized deletion of optimized image data. While the attack requires credentials, the lack of role verification makes the exploitation relatively straightforward for legitimate users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mateuszgbiorczyk

Converter for Media – Optimize images | Convert WebP & AVIF

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.3.2

No data.

Vendor	Product	Confidence	Versions
Mateuszgbiorczyk	Converter For Media	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Converter for Media plugin to the latest version, which removes the unauthorized deletion flaw.
If an update cannot be applied immediately, restrict the capability required for Subscriber-level users or remove the regenerate-attachment REST endpoint using a firewall or role management plugin to prevent exploitation.

Generated by OpenCVE AI on April 21, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve

History

Wed, 17 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 17 Dec 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mateuszgbiorczyk Mateuszgbiorczyk converter For Media Wordpress Wordpress wordpress
Vendors & Products		Mateuszgbiorczyk Mateuszgbiorczyk converter For Media Wordpress Wordpress wordpress

Wed, 17 Dec 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Converter for Media – Optimize images \| Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.
Title		Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Mateuszgbiorczyk Converter For Media

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-17T06:36:59.567Z

Updated: 2026-04-08T17:11:00.573Z

Reserved: 2025-11-26T16:51:27.349Z

Link: CVE-2025-13750

Vulnrichment

Updated: 2025-12-17T21:39:37.444Z

NVD

Status : Deferred

Published: 2025-12-17T07:15:58.293

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13750

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object