The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading.