CVE-2021-24644 Scanner

Images to WebP is a popular plugin used for converting images to the WebP format on WordPress websites. This plugin is primarily used by web developers and website owners who wish to optimize their websites for faster load times by using WebP images. The plugin facilitates the conversion of images directly within the WordPress dashboard, offering a user-friendly interface. It is compatible with various versions of WordPress and is regarded as an effective solution for image optimization. Many websites use this plugin due to its convenience in improving website performance. Its integration within WordPress's backend makes it accessible and easy to use for users without technical expertise.

Local File Inclusion (LFI) is a type of vulnerability that occurs when an attacker is able to include files, usually through exploiting a file inclusion mechanism present in web applications. This vulnerability arises because the application accepts untrusted input and processes it within a file inclusion request without proper validation. LFI allows attackers to access files on the server, which might lead to information disclosure or execution of server-side scripts. The vulnerability is often used as a stepping stone to further exploit the server, potentially leading to remote code execution. Addressing such vulnerabilities is crucial to maintain the security and integrity of web applications.

The Images to WebP plugin for WordPress contains an LFI vulnerability due to improper validation of input parameters. Specifically, the 'tab' parameter in certain requests is not properly sanitized or validated, allowing an attacker to include unintended local files. This unsanitized parameter can be manipulated to traverse directories and include files from different paths on the server. An attacker exploiting this vulnerability could craft a URL to include sensitive files on the server, accessing potentially sensitive information. This flaw relies on the incorrect handling of paths in the include function, which should enforce stricter checks. The exploitation requires manipulating the request to the vulnerable endpoint.

When the Local File Inclusion vulnerability is exploited, malicious actors can gain unauthorized access to sensitive files on the server. This may include configuration files, databases, or other data not intended for public exposure. The exploit can lead to information disclosure, where sensitive information is obtained, which could be used for further attacks. Additionally, if combined with other vulnerabilities, it could allow attackers to execute arbitrary code on the server. Overall, this vulnerability threatens the confidentiality, integrity, and availability of the affected website. Proper mitigation strategies must be implemented to safeguard against such attacks.

REFERENCES

• https://wpscan.com/vulnerability/5a363eeb-9510-4535-97e2-9dfd3b10d511/
• https://nvd.nist.gov/vuln/detail/CVE-2021-24644