As plugins’ usage of the WordPress’ REST API increases security issues related to that are increasing. The recently introduced plugin WebP Converter for Media is another example of that. One of the changelog entries for a recent version of that is “Securing access to REST API”. Looking at the changes made in that we found that there were checks added to restrict access to the plugin’s REST API functionality and that previously anyone could access them. It looks like those would allow getting a list of image files in the WordPress media library and converting images files stored with that to the WebP format.

…

[Read more]