Primary

Context

Find Unused Images WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Attachment Deletion

Vulnerability

A vulnerability exists in the Find Unused Images plugin for WordPress, in versions through 1.0.7, due to a lack of proper capability checks. This flaw allows unauthenticated users to delete any site's attachments, leading to unauthorized data loss.

Impact

Exploitation of this vulnerability allows for arbitrary deletion of WordPress attachments, potentially leading to loss of important media or document files from the site.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with the 'wp_ajax_fui_delete_image' or 'wp_ajax_fui_delete_all_images' action. These requests can be made without authentication, and they will delete the specified images or all images, respectively.

Added: Nov 11, 2025, 4:50 AM

Updated: Nov 11, 2025, 4:50 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

1.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

1.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Find Unused Images WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Attachment Deletion

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating