Home

Description

The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments.

PUBLISHED Reserved 2025-10-20 | Published 2025-11-11 | Updated 2025-11-12 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-11-10:Disclosed

Credits

JohSka finder

References

wordpress.org/plugins/find-unused-images/ exploit

www.wordfence.com/...-97e9-4166-89d5-788b336790b6?source=cve

plugins.trac.wordpress.org/....0.7/inc/generic-functions.php

plugins.trac.wordpress.org/....0.7/inc/generic-functions.php

wordpress.org/plugins/find-unused-images/

cve.org (CVE-2025-11996)

nvd.nist.gov (CVE-2025-11996)

Download JSON