Search criteria
4 vulnerabilities found for Converter for Media – Optimize images | Convert WebP & AVIF by mateuszgbiorczyk
CVE-2026-1356 (GCVE-0-2026-1356)
Vulnerability from nvd – Published: 2026-02-12 09:25 – Updated: 2026-02-12 14:20
VLAI?
Title
Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src
Summary
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
4.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mateuszgbiorczyk | Converter for Media – Optimize images | Convert WebP & AVIF |
Affected:
* , ≤ 6.5.1
(semver)
|
Credits
Lucas Montes
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1356",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:19:51.556509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T14:20:15.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF",
"vendor": "mateuszgbiorczyk",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucas Montes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T09:25:49.034Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/188d812c-2955-4b0c-ae1c-b42c0f60b73b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3445904/webp-converter-for-media"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-22T20:16:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-11T21:24:23.000Z",
"value": "Disclosed"
}
],
"title": "Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF \u003c= 6.5.1 - Unauthenticated Server-Side Request Forgery via src"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1356",
"datePublished": "2026-02-12T09:25:49.034Z",
"dateReserved": "2026-01-22T19:44:35.120Z",
"dateUpdated": "2026-02-12T14:20:15.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13750 (GCVE-0-2025-13750)
Vulnerability from nvd – Published: 2025-12-17 06:36 – Updated: 2025-12-17 21:40
VLAI?
Title
Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint
Summary
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mateuszgbiorczyk | Converter for Media – Optimize images | Convert WebP & AVIF |
Affected:
* , ≤ 6.3.2
(semver)
|
Credits
Marcin Dudek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:39:29.484138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:40:05.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF",
"vendor": "mateuszgbiorczyk",
"versions": [
{
"lessThanOrEqual": "6.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Dudek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T06:36:59.567Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-08T20:35:33.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-16T18:33:57.000Z",
"value": "Disclosed"
}
],
"title": "Converter for Media \u003c= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13750",
"datePublished": "2025-12-17T06:36:59.567Z",
"dateReserved": "2025-11-26T16:51:27.349Z",
"dateUpdated": "2025-12-17T21:40:05.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1356 (GCVE-0-2026-1356)
Vulnerability from cvelistv5 – Published: 2026-02-12 09:25 – Updated: 2026-02-12 14:20
VLAI?
Title
Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src
Summary
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
4.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mateuszgbiorczyk | Converter for Media – Optimize images | Convert WebP & AVIF |
Affected:
* , ≤ 6.5.1
(semver)
|
Credits
Lucas Montes
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1356",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T14:19:51.556509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T14:20:15.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF",
"vendor": "mateuszgbiorczyk",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucas Montes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T09:25:49.034Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/188d812c-2955-4b0c-ae1c-b42c0f60b73b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3445904/webp-converter-for-media"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-22T20:16:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-11T21:24:23.000Z",
"value": "Disclosed"
}
],
"title": "Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF \u003c= 6.5.1 - Unauthenticated Server-Side Request Forgery via src"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1356",
"datePublished": "2026-02-12T09:25:49.034Z",
"dateReserved": "2026-01-22T19:44:35.120Z",
"dateUpdated": "2026-02-12T14:20:15.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13750 (GCVE-0-2025-13750)
Vulnerability from cvelistv5 – Published: 2025-12-17 06:36 – Updated: 2025-12-17 21:40
VLAI?
Title
Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint
Summary
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mateuszgbiorczyk | Converter for Media – Optimize images | Convert WebP & AVIF |
Affected:
* , ≤ 6.3.2
(semver)
|
Credits
Marcin Dudek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:39:29.484138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:40:05.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF",
"vendor": "mateuszgbiorczyk",
"versions": [
{
"lessThanOrEqual": "6.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Dudek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Converter for Media \u2013 Optimize images | Convert WebP \u0026 AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T06:36:59.567Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-08T20:35:33.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-16T18:33:57.000Z",
"value": "Disclosed"
}
],
"title": "Converter for Media \u003c= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13750",
"datePublished": "2025-12-17T06:36:59.567Z",
"dateReserved": "2025-11-26T16:51:27.349Z",
"dateUpdated": "2025-12-17T21:40:05.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}