Description
The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2026-01-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Arbitrary File Upload leading to Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WP Enable WebP plugin for WordPress suffers from improper file type validation in its upload functionality. An authenticated user with Author or higher privileges can upload arbitrary files to the server. If the attacker uploads a file capable of being executed, such as a PHP script, remote code execution may be achieved. The weakness is classified as CWE‑434. The vulnerability is present in all plugin versions up to and including 1.0.

Affected Systems

The affected product is WP Enable WebP from eastsidecode. All releases dating from the first version through 1.0 are vulnerable; no fix is provided in version 1.0 and later releases have not been listed yet.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of under 1% suggests a low yet non‑zero exploitation probability in the general population. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Author or stronger role, an opportunity that many WordPress sites grant to content authors. An attacker could exploit the upload endpoint to place malicious files on the server and potentially execute them, thereby compromising confidentiality, integrity, and availability of the site.

Generated by OpenCVE AI on April 20, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Enable WebP plugin to the latest version that implements proper file type validation, if one is available.
  • If an upgrade cannot be applied immediately, disable or remove the plugin’s file upload functionality or uninstall the plugin entirely until the issue is resolved.
  • Apply server‑side validation in addition to any existing checks: verify MIME type and file extension, and block uploads of executable file types such as .php, .phtml, or .exe.

Generated by OpenCVE AI on April 20, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:21.834Z

Reserved: 2025-12-27T19:08:50.291Z

Link: CVE-2025-15158

cve-icon Vulnrichment

Updated: 2026-01-07T14:46:49.732Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:59.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses