Description
Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.2.
Published: 2026-01-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Apply Patch
AI Analysis

Impact

The WebP Conversion plugin for WordPress contains a missing authorization flaw that allows unauthorized users to trigger the plugin’s functionality. This broken access control can expose or modify content that the privileged user expected to protect. The vulnerability falls under the CWE-862 classification, illustrating improper validation of user permissions. As a result, attackers might modify images or the plugin configuration, potentially leading to data tampering or unauthorized information disclosure.

Affected Systems

The issue affects the WordPress WebP Conversion plugin from the first release through version 2.2. Hosts running any of those versions are susceptible; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests low immediate exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is via HTTP requests that hit the plugin’s exposed endpoints, potentially by an unauthenticated or low‑privileged user. No special permissions or system configuration changes are necessary to exploit the flaw.

Generated by OpenCVE AI on April 16, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WebP Conversion plugin to a version later than 2.2.
  • If an upgrade is unavailable, delete the plugin from the WordPress installation.
  • Restrict access to the plugin’s features by configuring WordPress role permissions so that only trusted administrators or editors can use it.

Generated by OpenCVE AI on April 16, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.1. Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.2.
Title WordPress WebP Conversion plugin <= 2.1 - Broken Access Control vulnerability WordPress WebP Conversion plugin <= 2.2 - Broken Access Control vulnerability

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.1.
Title WordPress WebP Conversion plugin <= 2.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:48.746Z

Reserved: 2026-01-23T12:31:40.819Z

Link: CVE-2026-24530

cve-icon Vulnrichment

Updated: 2026-01-26T19:09:13.216Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:08.993

Modified: 2026-04-28T15:16:10.697

Link: CVE-2026-24530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses