CVE-2025-13750 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2025-13750?

CVE-2025-13750 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete optimized WebP/AVIF image variants for any attachment via a REST API endpoint. It affects all WordPress sites using the Converter for Media plugin up to version 6.3.2. Attackers can disrupt website performance by removing optimized images, potentially causing slower page loads.

📋 TL;DR

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete optimized WebP/AVIF image variants for any attachment via a REST API endpoint. It affects all WordPress sites using the Converter for Media plugin up to version 6.3.2. Attackers can disrupt website performance by removing optimized images, potentially causing slower page loads.

💻 Affected Systems

Products:

Converter for Media – Optimize images | Convert WebP & AVIF WordPress plugin

Versions: All versions up to and including 6.3.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled and at least one authenticated user with Subscriber role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actors systematically delete all optimized images, causing significant website performance degradation, increased bandwidth costs, and potential SEO impact due to slower page speeds.

🟠

Likely Case

Targeted deletion of optimized images for critical pages or media assets, causing temporary performance issues until images are re-optimized.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring, where unauthorized deletions are quickly detected and restored from backups.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via REST API calls. No special tools needed beyond basic HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.3

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Converter for Media – Optimize images | Convert WebP & AVIF'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 6.3.3+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the /webp-converter/v1/regenerate-attachment endpoint via .htaccess or web server configuration.

# Add to .htaccess for Apache:
RewriteRule ^wp-json/webp-converter/v1/regenerate-attachment - [F,L]
# Nginx configuration:
location ~* ^/wp-json/webp-converter/v1/regenerate-attachment { return 403; }

Restrict user capabilities

all

Temporarily limit Subscriber and other low-privilege users from accessing REST API endpoints.

# WordPress function to add to theme's functions.php:
add_filter('rest_authentication_errors', function($result) {
    if (!is_user_logged_in() || !current_user_can('edit_posts')) {
        return new WP_Error('rest_cannot_access', 'REST API access restricted.', array('status' => 401));
    }
    return $result;
});

🧯 If You Can't Patch

Disable the Converter for Media plugin entirely until patched.
Implement strict monitoring of REST API access logs for suspicious /regenerate-attachment requests.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 6.3.2 or lower, the site is vulnerable.

Check Version:

wp plugin list --name='webp-converter-for-media' --field=version

Verify Fix Applied:

Confirm plugin version is 6.3.3 or higher. Test that Subscriber-level users cannot access /wp-json/webp-converter/v1/regenerate-attachment endpoint.

📡 Detection & Monitoring

Log Indicators:

HTTP 200/204 responses to POST /wp-json/webp-converter/v1/regenerate-attachment from non-admin users
Unusual deletion events in media library logs from low-privilege accounts

Network Indicators:

POST requests to /wp-json/webp-converter/v1/regenerate-attachment with attachment_id parameter from unexpected user roles

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-json/webp-converter/v1/regenerate-attachment" AND http_method="POST") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2025-13750

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13750, you might also want to check these: