– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-15158 (metadata-based):
This vulnerability is an arbitrary file upload flaw in the WP Enable WebP WordPress plugin version 1.0. The vulnerability resides in the ‘wpse_file_and_ext_webp’ function. It allows authenticated attackers with Author-level privileges or higher to upload files with dangerous extensions, potentially leading to remote code execution. The CVSS score of 8.8 reflects a high-severity network-accessible attack with low attack complexity.

Atomic Edge research infers the root cause is improper file type validation, consistent with CWE-434. The plugin likely accepts file uploads via an AJAX handler or admin POST request. It fails to properly verify the file’s extension or MIME type before moving it to a web-accessible directory. These conclusions are inferred from the CWE classification and standard WordPress plugin patterns, as no source code diff is available for confirmation.

Exploitation requires an attacker to possess an Author-level WordPress account. The attacker would send a POST request to a plugin-specific AJAX endpoint, such as ‘/wp-admin/admin-ajax.php’. The request would use an action parameter like ‘wpse_file_and_ext_webp’ or a derivative. The payload includes a malicious file, such as a PHP web shell, with a double extension like ‘shell.php.webp’ or a spoofed Content-Type header to bypass weak validation. The uploaded file would be placed in a predictable location like the WordPress uploads directory.

Effective remediation requires implementing strict server-side validation of both file extension and MIME type. A whitelist of allowed file types, specifically only WebP images, should be enforced. The plugin should also verify file signatures (magic bytes) and implement proper file naming conventions to prevent overwrites. WordPress nonce and capability checks must also be present and correctly validated for the upload function.

Successful exploitation grants an attacker the ability to upload arbitrary files, including PHP scripts, to the server. This directly leads to remote code execution with the web server’s privileges. An attacker can compromise the entire site, deface pages, steal data, establish a persistent backdoor, or use the server as a pivot point for network attacks. The impact is complete loss of confidentiality, integrity, and availability.