The vulnerability identified as CVE-2025-13750 affects the WordPress plugin 'Converter for Media – Optimize images | Convert WebP & AVIF' developed by mateuszgbiorczyk. This plugin is used to optimize images by converting them into modern formats such as WebP and AVIF to improve website performance. The security flaw is a missing authorization check (CWE-862) on the REST API endpoint /webp-converter/v1/regenerate-attachment, which is responsible for regenerating or deleting optimized image variants. Because the endpoint does not verify whether the authenticated user has the necessary permissions, any user with Subscriber-level access or higher can invoke this endpoint to delete optimized WebP and AVIF images associated with arbitrary attachments. This unauthorized modification compromises the integrity of the optimized image data, potentially degrading website appearance and performance. The vulnerability affects all versions up to and including 6.3.2 of the plugin. The CVSS v3.1 base score is 4.3, indicating medium severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, meaning network attack vector, low attack complexity, requires privileges, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity is impacted. No patches or exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is the unauthorized deletion of optimized WebP and AVIF image variants on WordPress sites using the affected plugin. This can lead to degraded website performance and user experience due to the absence of optimized images, potentially increasing page load times and bandwidth usage. While the core image files remain intact, the loss of optimized variants may force the site to serve larger images, affecting SEO rankings and visitor retention. Attackers with Subscriber-level access, which is a low privilege level often granted to registered users or commenters, can exploit this flaw, increasing the risk of insider threats or compromised accounts being leveraged. Although the vulnerability does not affect confidentiality or availability directly, the integrity impact can disrupt site operations and content presentation. Organizations relying heavily on image optimization for performance and user engagement may see reputational damage or reduced site efficiency. The lack of known exploits reduces immediate risk, but the vulnerability's presence in a popular WordPress plugin means widespread exposure.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates released by the plugin developer once available. Until a patch is released, administrators should restrict Subscriber-level and other low-privilege user roles from accessing or interacting with the REST API endpoints related to the plugin, possibly by using security plugins that control REST API permissions or by custom code to enforce capability checks. Monitoring and auditing user activities on the WordPress site can help detect unauthorized attempts to invoke the vulnerable endpoint. Additionally, implementing a Web Application Firewall (WAF) with rules to block suspicious REST API calls targeting /webp-converter/v1/regenerate-attachment can reduce exploitation risk. Site owners should also consider temporarily disabling the plugin if image optimization is not critical or switching to alternative plugins with proper authorization controls. Regular backups of media files and optimized images are recommended to enable quick restoration if deletion occurs. Finally, educating users about the risks of compromised accounts and enforcing strong authentication policies will reduce the likelihood of attackers gaining the necessary privileges.