Skip to main content

QuickWebP CVE-2026-42756

| EUVDEUVD-2026-32204 CRITICAL
Path Traversal (CWE-22)
2026-05-27 audit@patchstack.com GHSA-7hfx-87f9-p7x4
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:44 vuln.today

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP &#8211; Compress / Optimize Images &amp; Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP &#8211; Compress / Optimize Images &amp; Convert WebP | SEO Friendly: from n/a through <= 3.2.7.

AnalysisAI

Path traversal in the QuickWebP WordPress plugin (versions up to and including 3.2.7) allows authenticated low-privilege users to manipulate file paths and delete arbitrary files on the server, per the Patchstack advisory titling this an arbitrary file deletion flaw. With a CVSS of 9.9 and a changed scope, deletion of sensitive files such as wp-config.php can cascade into full site compromise. There is no public exploit identified at time of analysis.

Technical ContextAI

QuickWebP is a WordPress plugin by Ludwig You that compresses, optimizes, and converts images to WebP for SEO purposes. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a file path parameter handled by the plugin is not properly canonicalized or constrained to an intended directory, so attacker-supplied sequences (e.g., ../) can escape the plugin's working directory. The reference (Patchstack) characterizes the concrete effect as arbitrary file deletion, indicating a file-handling routine - likely tied to the plugin's image/conversion cleanup or optimization functions - accepts unsanitized paths. No CPE strings were supplied beyond the WordPress plugin slug 'quickwebp'.

RemediationAI

No vendor-released patch identified at time of analysis - the available data lists versions through 3.2.7 as affected without naming a fixed release, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/quickwebp/vulnerability/wordpress-quickwebp-compress-optimize-images-convert-webp-seo-friendly-plugin-3-2-7-arbitrary-file-deletion-vulnerability?_s_id=cve) and the WordPress plugin repository for a release above 3.2.7 and upgrade immediately once published. Until a fix is available, the most effective compensating control is to deactivate and remove the QuickWebP plugin, which stops the vulnerable code path at the cost of losing image optimization/WebP conversion. If removal is not acceptable, restrict and audit low-privilege accounts (the attack requires an authenticated low-tier login per PR:L) by tightening user registration, enforcing strong authentication, and limiting which roles can reach plugin endpoints; additionally, deploy a WAF rule or virtual patch (Patchstack offers one) to block path-traversal sequences in requests to the plugin, accepting possible false positives on legitimate file parameters, and ensure file-system permissions prevent the web server user from deleting critical files like wp-config.php where feasible.

Share

CVE-2026-42756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy