CVE-2026-42756 Overview
CVE-2026-42756 is a path traversal vulnerability in the Ludwig You QuickWebP WordPress plugin, marketed as QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly. The flaw allows authenticated attackers to manipulate file path inputs to access or delete files outside the intended directory. According to the PatchStack advisory, the vulnerability enables arbitrary file deletion on affected WordPress sites. All plugin versions up to and including 3.2.7 are affected. The weakness is classified under CWE-22, Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Authenticated attackers with low privileges can delete arbitrary files on the WordPress server, including wp-config.php, leading to site takeover.
Affected Products
- QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly WordPress plugin
- All versions from initial release through 3.2.7
- WordPress installations with the plugin enabled
Discovery Timeline
- 2026-05-27 - CVE-2026-42756 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42756
Vulnerability Analysis
The QuickWebP plugin processes file path parameters without properly sanitizing directory traversal sequences. An attacker submits crafted input containing sequences such as ../ to escape the plugin's intended working directory. The application then operates on the resolved path, enabling deletion of files anywhere the web server process can write.
The attack requires only low-privilege authentication, which on many WordPress sites includes subscriber or contributor accounts. The scope change indicates that the impact extends beyond the vulnerable component to the broader WordPress installation and host filesystem.
Root Cause
The root cause is missing canonicalization and validation of user-supplied file path parameters in the plugin's image management functions. The code accepts a filename or path argument and passes it to a file deletion routine without enforcing that the resolved path remains within an allowed base directory. This pattern matches CWE-22 path traversal weaknesses.
Attack Vector
An authenticated user sends an HTTP request to the vulnerable plugin endpoint with a path parameter containing traversal sequences. Because the plugin runs in the WordPress context, the deletion executes with the privileges of the web server user. Removing wp-config.php forces WordPress into installation mode, which an attacker can leverage to connect the site to an attacker-controlled database and achieve remote code execution. Refer to the PatchStack Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-42756
Indicators of Compromise
- HTTP POST or GET requests to QuickWebP plugin endpoints containing ../ or URL-encoded %2e%2e%2f sequences in file path parameters
- Unexpected deletion of wp-config.php, .htaccess, or core WordPress files
- WordPress installation prompt appearing on a previously functional site
- Web server error logs showing file not found errors for core WordPress files following plugin activity
Detection Strategies
- Inspect web access logs for requests targeting /wp-admin/admin-ajax.php or QuickWebP plugin paths with directory traversal patterns
- Monitor filesystem audit logs for file deletion events initiated by the PHP-FPM or web server process outside the plugin's working directory
- Apply web application firewall rules that block traversal sequences in plugin parameters
Monitoring Recommendations
- Enable WordPress activity logging plugins to capture authenticated user actions targeting media and plugin endpoints
- Forward web server logs and filesystem audit events to a centralized analytics platform for correlation
- Alert on integrity changes to critical WordPress files such as wp-config.php, index.php, and .htaccess
How to Mitigate CVE-2026-42756
Immediate Actions Required
- Disable or remove the QuickWebP plugin until a patched release is installed
- Audit WordPress user accounts and revoke unnecessary low-privilege access
- Verify integrity of wp-config.php and core WordPress files and restore from backup if tampering is detected
- Rotate database credentials and WordPress secret keys if compromise is suspected
Patch Information
At the time of publication, the vendor had not released a fixed version beyond 3.2.7. Monitor the PatchStack Vulnerability Report and the official plugin repository for an updated release that addresses CVE-2026-42756.
Workarounds
- Deactivate the QuickWebP plugin from the WordPress admin console
- Restrict file system permissions so the web server user cannot delete files outside the uploads directory
- Deploy a web application firewall rule that blocks ../ and encoded traversal sequences in plugin request parameters
- Limit plugin endpoint access by IP address using .htaccess or reverse proxy rules
# Disable the QuickWebP plugin via WP-CLI
wp plugin deactivate quickwebp
wp plugin delete quickwebp
# Restrict write permissions on critical files
chmod 440 wp-config.php
chown root:www-data wp-config.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
