CVE-2026-24530
Description
Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WebP Conversion plugin for WordPress (<=2.2) has a missing authorization vulnerability allowing unauthenticated attackers to manipulate access control settings.
The WebP Conversion WordPress plugin (versions through 2.2) suffers from a Missing Authorization vulnerability. This flaw stems from an incorrectly configured access control security level, where certain functions lack proper authorization checks, nonce validation, or authentication requirements [1].
Exploitation of this issue requires no authentication—any unauthenticated user, including visitors, can trigger privileged actions that should be restricted to higher-level users. This makes the vulnerability easy to chain in mass-exploit campaigns targeting thousands of websites, regardless of their size or popularity [1].
The impact is that attackers can exploit incorrectly configured access control security levels to perform unauthorized actions, potentially leading to privilege escalation or unauthorized modification of plugin settings [1].
Users are strongly advised to immediately update the WebP Conversion plugin to a patched version if available. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.