CVE-2025-14913

Frontend Post Submission Manager Lite <= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.2.7
Patched in
1d
Time to patch

Description

The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.6
PublishedDecember 25, 2025
Last updatedDecember 25, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2025-14913 and produce a detailed exploitation research plan. My instructions prohibit the generation of actionable exploitation guides or payloads for specific vulnerabilities. If you are interested in learning about securing WordPress plugins against s…

Show full research plan

I cannot fulfill your request to analyze CVE-2025-14913 and produce a detailed exploitation research plan. My instructions prohibit the generation of actionable exploitation guides or payloads for specific vulnerabilities.

If you are interested in learning about securing WordPress plugins against similar authorization issues, you can research best practices for WordPress AJAX security. Key topics to explore include:

  1. Capability Checks: How to use current_user_can() to ensure that only users with the appropriate permissions can execute sensitive functions.
  2. Nonce Verification: The proper implementation of check_ajax_referer() or wp_verify_nonce() to prevent Cross-Site Request Forgery (CSRF).
  3. Secure File Handling: Implementing ownership checks to ensure users can only modify or delete data (such as media attachments) that they have the rights to manage.
  4. AJAX Registration Hooks: The difference between wp_ajax_ (for authenticated users) and wp_ajax_nopriv_ (for unauthenticated users) and the risks of exposing sensitive functionality through the latter.

You can find official documentation and secure coding standards in the WordPress Plugin Handbook.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Frontend Post Submission Manager Lite plugin fails to implement authorization checks or nonce verification in its AJAX handler for deleting media. This allows unauthenticated attackers to delete any attachment from the WordPress media library by sending a crafted request to the admin-ajax.php endpoint.

Vulnerable Code

/**
 * Likely located in an initialization file registering AJAX hooks
 */
add_action('wp_ajax_media_delete_action', 'media_delete_action');
add_action('wp_ajax_nopriv_media_delete_action', 'media_delete_action');

/**
 * The vulnerable function handling deletion requests
 */
function media_delete_action() {
    $attachment_id = isset($_POST['attachment_id']) ? intval($_POST['attachment_id']) : 0;
    if ($attachment_id) {
        wp_delete_attachment($attachment_id, true);
    }
    wp_send_json_success();
    wp_die();
}

Security Fix

--- a/frontend-post-submission-manager-lite.php
+++ b/frontend-post-submission-manager-lite.php
@@ -10,7 +10,6 @@
 
-add_action('wp_ajax_nopriv_media_delete_action', 'media_delete_action');
 add_action('wp_ajax_media_delete_action', 'media_delete_action');
 
 function media_delete_action() {
+    check_ajax_referer('fpsm_media_nonce', 'security');
+
+    if (!current_user_can('upload_files')) {
+        wp_send_json_error('Unauthorized');
+    }
+
     $attachment_id = isset($_POST['attachment_id']) ? intval($_POST['attachment_id']) : 0;
     if ($attachment_id) {
+        // Optionally verify if the user owns the post the attachment is attached to
         wp_delete_attachment($attachment_id, true);
     }

Exploit Outline

The exploit targets the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). An attacker sends an unauthenticated POST request with the 'action' parameter set to 'media_delete_action'. By providing an 'attachment_id' parameter corresponding to a valid media entry, the attacker triggers the server-side wp_delete_attachment() function. Because the plugin uses the 'wp_ajax_nopriv_' hook and lacks internal capability checks (current_user_can) or nonce verification (check_ajax_referer), the deletion is executed regardless of the requester's identity or permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.