WordPress Plugin Vulnerabilities

Squeeze < 1.7.8 - Authenticated (Subscriber+) Directory Traversal

Description

The Squeeze – Image Optimization & Compression, WEBP Conversion plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.

Affects Plugins

Plugin icon
squeeze
Fixed in 1.7.8

References

CVE
CVE-2026-32415
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/694b05bf-7779-4365-811e-029408922ec9

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
8a329e64-b208-496b-8fb7-edfd2a17c4ba

Timeline

Publicly Published
2026-02-25 (about 4 months ago)
Added
2026-05-05 (about 1 month ago)
Last Updated
2026-05-05 (about 1 month ago)

Other

Published
Title
Published
2022-11-28
Title
InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE
Published
2025-05-24
Title
WP Job Portal < 2.3.3 - Unauthenticated Arbitrary File Download
Published
2024-06-20
Title
WishList Member X < 3.26.7 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2026-04-13
Title
Meta Box < 5.11.2 - Contributor+ Arbitrary File Deletion
Published
2014-09-28
Title
lote27 Theme - Arbitrary File Download