The QuickWebP plugin for WordPress contains a Path Traversal flaw (CWE‑22) that allows an attacker who can send crafted HTTP requests to the plugin’s file handling endpoints to delete any file on the server. The vulnerability is not limited to file uploads; any user who can trigger the plugin’s internal operations can specify a relative path that escapes the intended directory, leading to loss of critical data. The flaw is rated CVSS 9.9, indicating that an attacker who succeeds could cause significant damage and potentially compromise the entire WordPress installation.

WordPress sites running Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly with version 3.2.7 or earlier are affected. The vulnerability does not apply to newer plugin releases. Administrators should verify the current plugin version by checking the Plugins page in the WordPress dashboard.

The CVSS score of 9.9 categorizes the vulnerability as Critical. There is no EPSS value provided, but the lack of a mitigation and the remote nature of the flaw suggest a high likelihood of exploitation. The flaw is not listed in CISA KEV, but the severity alone warrants immediate action. Attackers can simply send a request to the plugin’s endpoint with a crafted file path; no privileged credentials are required if the attacker can access the WordPress site. Therefore, if the plugin remains installed in a vulnerable state, the risk of arbitrary file deletion across the file system is high.