Originality.ai AI Checker WordPress Plugin Unauthorized Data Deletion Vulnerability

A vulnerability exists in the Originality.ai AI Checker plugin for WordPress, in all versions through 1.0.12. The issue arises from a lack of proper capability checks in the 'ai_scan_result_remove' function, allowing authenticated attackers with Subscriber-level access or higher to delete data from the 'wp_originalityai_log' database table. This table may contain post titles, scan scores, credits used, and other related information.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of scan log data from the WordPress database, potentially leading to loss of important content and scan history.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'ai_scan_result_remove' function without the necessary capability checks. This can be done by using the WordPress admin interface or through a custom script that targets the vulnerable function.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.