CVE-2021-24644
published 2021-11-23CVE-2021-24644: The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.03%
91.2th percentile
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| imagestowebp_project | images_to_webp | < 1.9 | 1.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires authentication; look for POST to /wp-login.php followed immediately by a GET to /wp-admin/upload.php with a path-traversal value in the 'tab' parameter (URL-encoded '../' sequences). ↗
- →Detect LFI attempts by inspecting the 'tab' query parameter on requests to /wp-admin/upload.php?page=images-to-webp.php for path traversal sequences (e.g., ../ or URL-encoded variants %2F). ↗
- →A successful exploit response will contain both 'wp-links-opml' and 'Images to WebP' in the body with HTTP 200, and a date string matching the pattern '[A-Za-z]{3}, [0-9]{2} [A-Za-z]{3} 20[0-9]{2}'. ↗
- →Presence of the plugin can be fingerprinted via a PublicWWW/source-code search for the path '/wp-content/plugins/images-to-webp/' in page source. ↗
- ·The vulnerability is only exploitable by authenticated users; unauthenticated exploitation is not possible against a default WordPress installation. ↗
- ·The nuclei template requires valid WordPress credentials (username/password) to be supplied; the authentication step (HTTP 302 + wordpress_logged_in cookie) must succeed before the LFI request is attempted. ↗
- ·Only plugin versions strictly before 1.9 are vulnerable; version 1.9 and later contain the fix. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4524-hxm7-m92p: The Images to WebP WordPress plugin before 1
ghsa_unreviewed·2021-11-24
CVE-2021-24644 [HIGH] CWE-22 GHSA-4524-hxm7-m92p: The Images to WebP WordPress plugin before 1
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue
VulnCheck
imagestowebp_project images_to_webp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-24644 [HIGH] imagestowebp_project images_to_webp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
imagestowebp_project images_to_webp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue
Affected: imagestowebp_project images_to_webp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/images-to-webp/wordpress-images-to-webp-plugin-1-8-authenticated-local-file-inclusion-lfi-vulnerability
No detection rules found.
Nuclei
Images to WebP < 1.9 - Authenticated Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-24644 [HIGH] Images to WebP < 1.9 - Authenticated Local File Inclusion
Images to WebP < 1.9 - Authenticated Local File Inclusion
The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include() function.
Template:
id: CVE-2021-24644
info:
name: Images to WebP < 1.9 - Authenticated Local File Inclusion
author: Sourabh-Sahu
severity: high
description: |
The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include() function.
impact: |
Authenticated attackers can read arbitrary local files from the server via path traversal, potentially exposing sensitive configuration files, credentials, and system information.
remediation: Fixed in 1.9
reference:
- https://wpscan.com/vulnerability/5a363eeb-9510-4535-97e2-9dfd3b10d511
No writeups or analysis indexed.
2021-11-23
Published
Exploited in the wild