CVE-2025-15158
Unknown Unknown - Not Provided
Arbitrary File Upload in WP Enable WebP Plugin Enables RCE

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: Wordfence

Description
The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15158
EUVD
EUVD-2026-1268
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor wp_enable_webp to 1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WP Enable WebP WordPress plugin (up to version 1.0) due to improper file type validation in the 'wpse_file_and_ext_webp' function. Authenticated users with Author-level access or higher can exploit this flaw to upload arbitrary files to the server. Because the plugin does not correctly validate file types, attackers can upload malicious files that could lead to remote code execution on the affected site.

Impact Analysis

If exploited, this vulnerability allows an attacker with Author-level access or above to upload arbitrary files to your WordPress server. This can lead to remote code execution, potentially allowing the attacker to take control of your website, deface content, steal data, or use your server for malicious activities.

Mitigation Strategies

To mitigate this vulnerability, immediately update or remove the WP Enable WebP plugin if it is at version 1.0 or below. Restrict upload permissions to trusted users only, especially limiting Author-level access. Monitor and audit file uploads for suspicious or unexpected file types. Consider disabling the plugin until a patched version is available to prevent arbitrary file uploads that could lead to remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart