CVE-2026-42756

Ludwig You · QuickWebP

A path traversal vulnerability in the QuickWebP plugin allows attackers to perform arbitrary file deletion on the host server.

Executive summary

A critical path traversal vulnerability in the QuickWebP WordPress plugin allows for arbitrary file deletion, threatening site availability and data integrity.

Vulnerability

The plugin contains a path traversal vulnerability that fails to properly sanitize pathnames. This flaw allows an attacker to traverse the directory structure and delete arbitrary files from the server, potentially causing a denial-of-service or damaging site configuration files.

Business impact

The CVSS score of 9.9 underscores the critical risk this vulnerability poses to business continuity. Successful exploitation allows for the deletion of essential files, which can lead to significant downtime, loss of operational capability, and potential data corruption. Organizations relying on this plugin for image optimization face a high risk of service disruption if the vulnerability is targeted.

Remediation

Immediate Action: Update the QuickWebP plugin to the latest version beyond 3.2.7 immediately.

Proactive Monitoring: Monitor server logs for directory traversal signatures and maintain regular backups of the web server file structure to facilitate recovery in the event of tampering.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter incoming requests and block attempts to access or manipulate sensitive directories outside of the intended web root.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

This vulnerability is highly critical due to the potential for destructive file system operations. Users of the QuickWebP plugin should update to the latest patched version immediately to prevent unauthorized file deletion. Security teams should prioritize this update as part of their standard patch management cycle to ensure the integrity of the web hosting environment.