CVE-2021-24641
📋 TL;DR
The Images to WebP WordPress plugin before version 1.9 lacks CSRF protection for administrative actions, allowing attackers to trick authenticated administrators into performing unauthorized actions. This vulnerability affects WordPress sites using vulnerable versions of the plugin, potentially leading to settings modification, denial-of-service, and arbitrary image conversion.
💻 Affected Systems
- Images to WebP WordPress Plugin
📦 What is this software?
Images To Webp by Imagestowebp Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify plugin settings to disrupt site functionality, cause denial-of-service by exhausting server resources through malicious image conversion requests, or potentially chain with other vulnerabilities for further compromise.
Likely Case
Attackers trick administrators into clicking malicious links that modify plugin settings or trigger resource-intensive image conversions, causing service disruption or unwanted configuration changes.
If Mitigated
With proper CSRF protection and user awareness, the risk is significantly reduced as attackers cannot force unauthorized actions without administrator interaction.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into performing actions via CSRF, making it relatively straightforward for attackers with social engineering capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9
Vendor Advisory: https://wpscan.com/vulnerability/972f8c5d-22b7-42de-a981-2e5acb72297b
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Images to WebP' plugin. 4. Click 'Update Now' if available, or manually update to version 1.9 or later. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the vulnerable plugin until patching is possible
wp plugin deactivate images-to-webp
CSRF Protection Implementation
allAdd custom CSRF tokens to plugin admin endpoints (advanced users only)
🧯 If You Can't Patch
- Remove the Images to WebP plugin entirely and use alternative image optimization solutions
- Implement strict access controls and user awareness training to prevent administrators from clicking untrusted links
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins, find Images to WebP and verify version is below 1.9Check Version:
wp plugin get images-to-webp --field=versionVerify Fix Applied:
Confirm plugin version is 1.9 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php?page=images-to-webp
- Multiple image conversion requests from single IP/session
- Plugin settings changes without corresponding admin login
Network Indicators:
- CSRF attack patterns with referer header manipulation
- Unexpected POST requests to plugin admin endpoints
SIEM Query:
source="wordpress" AND (uri="/wp-admin/admin.php?page=images-to-webp" OR plugin="images-to-webp") AND status=200