CVE-2025-13750 identifies a missing authorization vulnerability (CWE-862) in the WordPress plugin 'Converter for Media – Optimize images | Convert WebP & AVIF' developed by mateuszgbiorczyk. The vulnerability exists in all versions up to and including 6.3.2. Specifically, the REST API endpoint /webp-converter/v1/regenerate-attachment lacks proper capability checks, allowing any authenticated user with Subscriber-level privileges or higher to invoke this endpoint and delete optimized image variants (WebP and AVIF formats) associated with arbitrary media attachments. This unauthorized modification does not require elevated privileges beyond Subscriber, nor user interaction, making it easier for low-privilege users to exploit. The impact is limited to the integrity of optimized image data, potentially forcing re-optimization or causing degraded site performance and user experience. The vulnerability does not affect confidentiality or availability of the system. The CVSS v3.1 score of 4.3 reflects the network attack vector, low attack complexity, and the requirement for low privileges but no user interaction. No patches or known exploits are currently available, but the vulnerability is publicly disclosed as of December 2025.

For European organizations, this vulnerability primarily threatens the integrity of media optimization on WordPress-based websites. Attackers with Subscriber-level access, which can be obtained through compromised accounts or weak credential policies, could delete optimized WebP/AVIF images, leading to increased bandwidth usage, slower page load times, and degraded user experience. This can indirectly affect brand reputation and user engagement, especially for media-heavy websites such as e-commerce, news portals, and marketing platforms. While the vulnerability does not expose sensitive data or cause denial of service, the ease of exploitation by low-privilege users increases risk in environments with multiple user roles or where subscriber accounts are common. Organizations relying on this plugin for image optimization should consider the operational impact of repeated re-optimization and potential service disruptions. The absence of known exploits reduces immediate risk but does not eliminate the threat of future attacks.

European organizations should implement the following specific mitigations: 1) Immediately update the 'Converter for Media – Optimize images | Convert WebP & AVIF' plugin to a patched version once available from the vendor. 2) Until a patch is released, restrict Subscriber-level user permissions by auditing and minimizing the number of users with such access, especially on publicly accessible sites. 3) Employ Web Application Firewalls (WAFs) to monitor and block suspicious REST API calls targeting /webp-converter/v1/regenerate-attachment. 4) Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of account compromise. 5) Regularly monitor logs for unusual deletion activity related to media attachments. 6) Consider disabling or limiting REST API access for low-privilege users if feasible. 7) Educate site administrators about this vulnerability and encourage prompt response to suspicious behavior. These targeted actions go beyond generic advice by focusing on access control, monitoring, and interim protective measures.