WP Enable WebP

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AI Analysis

Arbitrary file upload vulnerability due to improper file type validation

Basic Information

ID CVE-2025-15158

Source Wordfence

Published Jan 7, 2026 at 08:21

Affected Product

Vendor eastsidecode

Product WP Enable WebP

Version *

Affected Versions eastsidecode WP Enable WebP *

CWE Classification

CWE-434

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor eastsidecode

Product WP Enable WebP

Version 1.0

References

{
    "lastseen": "",
    "description": "The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.",
    "published": "2026-01-07T08:21:56.508Z",
    "modified": "2026-01-07T08:21:56.508Z",
    "type": "cve",
    "title": "WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve\nhttps://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43",
    "id": "CVE-2025-15158",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "eastsidecode WP Enable WebP *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WP Enable WebP",
    "version": "*",
    "vendor": "eastsidecode",
    "ai_description": "Arbitrary file upload vulnerability due to improper file type validation",
    "ai_severity": "High",
    "ai_vendor": "eastsidecode",
    "ai_product": "WP Enable WebP",
    "ai_version": "1.0",
    "ai_score": 8.8
}

WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload_CVE-2025-15158