cbcvebase.
CVE-2021-24644
published 2021-11-23

CVE-2021-24644: The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.03%
91.2th percentile
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue

Affected

1 ranges
VendorProductVersion rangeFixed in
imagestowebp_projectimages_to_webp< 1.91.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/upload.php?page=images-to-webp.php&tab=..%2F..%2F..%2F..%2Fwp-links-opml
path/wp-content/plugins/images-to-webp/
commandtab=..%2F..%2F..%2F..%2Fwp-links-opml
  • Exploit requires authentication; look for POST to /wp-login.php followed immediately by a GET to /wp-admin/upload.php with a path-traversal value in the 'tab' parameter (URL-encoded '../' sequences).
  • Detect LFI attempts by inspecting the 'tab' query parameter on requests to /wp-admin/upload.php?page=images-to-webp.php for path traversal sequences (e.g., ../ or URL-encoded variants %2F).
  • A successful exploit response will contain both 'wp-links-opml' and 'Images to WebP' in the body with HTTP 200, and a date string matching the pattern '[A-Za-z]{3}, [0-9]{2} [A-Za-z]{3} 20[0-9]{2}'.
  • Presence of the plugin can be fingerprinted via a PublicWWW/source-code search for the path '/wp-content/plugins/images-to-webp/' in page source.
  • ·The vulnerability is only exploitable by authenticated users; unauthenticated exploitation is not possible against a default WordPress installation.
  • ·The nuclei template requires valid WordPress credentials (username/password) to be supplied; the authentication step (HTTP 302 + wordpress_logged_in cookie) must succeed before the LFI request is attempted.
  • ·Only plugin versions strictly before 1.9 are vulnerable; version 1.9 and later contain the fix.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.