The vulnerability identified as CVE-2025-13750 affects the WordPress plugin 'Converter for Media – Optimize images | Convert WebP & AVIF' developed by mateuszgbiorczyk. This plugin is designed to optimize images by converting them to modern formats like WebP and AVIF to improve website performance. The security flaw is a missing authorization check (CWE-862) on the REST API endpoint /webp-converter/v1/regenerate-attachment, which is responsible for regenerating or deleting optimized image variants. Because the endpoint lacks proper capability verification, any authenticated user with at least Subscriber-level privileges can invoke this endpoint to delete optimized WebP and AVIF images associated with arbitrary attachments. This unauthorized modification does not require elevated privileges beyond Subscriber, which is a low-level role typically assigned to users with minimal access rights. The vulnerability does not impact confidentiality or availability directly but affects data integrity by allowing deletion of optimized images, potentially degrading website media quality and user experience. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the network attack vector, low attack complexity, required privileges, and no user interaction. No patches were linked at the time of publication, and no known exploits are reported in the wild. The vulnerability affects all versions of the plugin up to and including 6.3.2. Given the widespread use of WordPress and the popularity of image optimization plugins, this vulnerability could be leveraged by malicious insiders or compromised low-privilege accounts to disrupt media content on targeted websites.

For European organizations, the primary impact of this vulnerability lies in the potential degradation of website media quality and user experience due to unauthorized deletion of optimized image variants. This can affect e-commerce platforms, media companies, and any business relying on WordPress sites for customer engagement and brand reputation. While the vulnerability does not expose sensitive data or cause service outages, the loss of optimized images can increase page load times and reduce SEO rankings, indirectly impacting business performance. Organizations with multiple contributors or low-privilege user accounts are at higher risk, as attackers only need Subscriber-level access. Additionally, attackers could use this vulnerability as part of a broader attack chain to undermine website integrity or conduct defacement campaigns. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as automated scanning tools may soon detect vulnerable installations.

To mitigate this vulnerability, organizations should: 1) Monitor for and apply security updates or patches from the plugin vendor as soon as they become available. 2) Restrict Subscriber-level user accounts and review user roles to ensure minimal necessary privileges are assigned, reducing the attack surface. 3) Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious REST API calls targeting the /webp-converter/v1/regenerate-attachment endpoint. 4) Audit REST API usage logs regularly to identify unauthorized or anomalous requests. 5) Consider disabling or limiting REST API access for low-privilege users if not required for business operations. 6) Backup optimized media files regularly to enable quick restoration if deletion occurs. 7) Educate site administrators and content managers about the risks of granting unnecessary access and the importance of plugin updates. These steps go beyond generic advice by focusing on access control, monitoring, and proactive defense tailored to the specific vulnerability vector.