CVE-2025-15158 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WP Enable WebP plugin for WordPress. The issue arises from improper validation of file types in the 'wpse_file_and_ext_webp' function, which fails to adequately restrict the types of files that authenticated users can upload. This vulnerability affects all versions up to and including 1.0 of the plugin. An attacker with Author-level privileges or higher can exploit this flaw to upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. Because WordPress plugins typically run with the same permissions as the web server, this can lead to remote code execution (RCE), allowing the attacker to execute arbitrary commands, compromise the server, steal data, or pivot to other network assets. The vulnerability does not require user interaction beyond having the necessary privileges, and the attack vector is network-based, making it remotely exploitable. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and privileges required. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a critical concern for WordPress sites using this plugin. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the WP Enable WebP plugin installed. Successful exploitation can lead to full server compromise, data breaches involving sensitive customer or business information, defacement of websites, or use of compromised servers as a foothold for further attacks within corporate networks. The impact extends to service disruption and reputational damage, particularly for e-commerce, government, and media websites that rely heavily on WordPress. Given the high adoption rate of WordPress across Europe, the attack surface is substantial. Organizations in sectors with strict data protection regulations, such as GDPR, face additional compliance risks if breaches occur. The ability for attackers to upload arbitrary files without user interaction and with relatively low privileges increases the likelihood of exploitation, especially in environments with multiple authors or contributors. This vulnerability could also be leveraged in supply chain attacks or to distribute malware to site visitors.

Immediate mitigation steps include restricting plugin usage to trusted users only and reviewing user roles to minimize the number of users with Author-level or higher privileges. Organizations should disable or uninstall the WP Enable WebP plugin until a security patch is released. Employing web application firewalls (WAFs) with rules to detect and block suspicious file uploads can reduce risk. Implementing strict file upload validation at the server level, such as limiting allowed MIME types and scanning uploaded files for malicious content, is critical. Regularly auditing user permissions and monitoring logs for unusual upload activity can help detect exploitation attempts early. Additionally, isolating WordPress instances in segmented network zones and applying the principle of least privilege to the web server process can limit the impact of a successful attack. Organizations should stay informed about vendor updates and apply patches promptly once available. Backup strategies should be reviewed to ensure rapid recovery in case of compromise.