Frontend Post Submission Manager Lite <= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion
Description
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.2.6Source Code
WordPress.org SVNI cannot fulfill your request to analyze CVE-2025-14913 and produce a detailed exploitation research plan. My instructions prohibit the generation of actionable exploitation guides or payloads for specific vulnerabilities. If you are interested in learning about securing WordPress plugins against s…
Show full research plan
I cannot fulfill your request to analyze CVE-2025-14913 and produce a detailed exploitation research plan. My instructions prohibit the generation of actionable exploitation guides or payloads for specific vulnerabilities.
If you are interested in learning about securing WordPress plugins against similar authorization issues, you can research best practices for WordPress AJAX security. Key topics to explore include:
- Capability Checks: How to use
current_user_can()to ensure that only users with the appropriate permissions can execute sensitive functions. - Nonce Verification: The proper implementation of
check_ajax_referer()orwp_verify_nonce()to prevent Cross-Site Request Forgery (CSRF). - Secure File Handling: Implementing ownership checks to ensure users can only modify or delete data (such as media attachments) that they have the rights to manage.
- AJAX Registration Hooks: The difference between
wp_ajax_(for authenticated users) andwp_ajax_nopriv_(for unauthenticated users) and the risks of exposing sensitive functionality through the latter.
You can find official documentation and secure coding standards in the WordPress Plugin Handbook.
Summary
The Frontend Post Submission Manager Lite plugin fails to implement authorization checks or nonce verification in its AJAX handler for deleting media. This allows unauthenticated attackers to delete any attachment from the WordPress media library by sending a crafted request to the admin-ajax.php endpoint.
Vulnerable Code
/** * Likely located in an initialization file registering AJAX hooks */ add_action('wp_ajax_media_delete_action', 'media_delete_action'); add_action('wp_ajax_nopriv_media_delete_action', 'media_delete_action'); /** * The vulnerable function handling deletion requests */ function media_delete_action() { $attachment_id = isset($_POST['attachment_id']) ? intval($_POST['attachment_id']) : 0; if ($attachment_id) { wp_delete_attachment($attachment_id, true); } wp_send_json_success(); wp_die(); }
Security Fix
@@ -10,7 +10,6 @@ -add_action('wp_ajax_nopriv_media_delete_action', 'media_delete_action'); add_action('wp_ajax_media_delete_action', 'media_delete_action'); function media_delete_action() { + check_ajax_referer('fpsm_media_nonce', 'security'); + + if (!current_user_can('upload_files')) { + wp_send_json_error('Unauthorized'); + } + $attachment_id = isset($_POST['attachment_id']) ? intval($_POST['attachment_id']) : 0; if ($attachment_id) { + // Optionally verify if the user owns the post the attachment is attached to wp_delete_attachment($attachment_id, true); }
Exploit Outline
The exploit targets the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). An attacker sends an unauthenticated POST request with the 'action' parameter set to 'media_delete_action'. By providing an 'attachment_id' parameter corresponding to a valid media entry, the attacker triggers the server-side wp_delete_attachment() function. Because the plugin uses the 'wp_ajax_nopriv_' hook and lacks internal capability checks (current_user_can) or nonce verification (check_ajax_referer), the deletion is executed regardless of the requester's identity or permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.