CVE-2025-10902
📋 TL;DR
The Originality.ai AI Checker WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to delete all data from the wp_originalityai_log database table. This affects all WordPress sites using plugin versions up to 1.0.12, potentially resulting in loss of AI scan history including post titles, scores, and credit usage data.
💻 Affected Systems
- Originality.ai AI Checker WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated user deletes all AI scan history, causing permanent data loss and disrupting content verification workflows.
Likely Case
Low-privilege user accidentally or intentionally deletes scan logs, requiring restoration from backups and causing temporary operational disruption.
If Mitigated
Minimal impact with proper access controls and regular backups in place.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.0.13 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/originality-ai/trunk/OriginalityAI.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Originality.ai AI Checker. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and replace files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the plugin to prevent exploitation while planning permanent fix.
Database Table Permissions Restriction
mysqlRestrict DELETE permissions on wp_originalityai_log table to admin users only.
GRANT DELETE ON wp_originalityai_log TO 'admin_user'@'localhost';
REVOKE DELETE ON wp_originalityai_log FROM 'wordpress_user'@'localhost';
🧯 If You Can't Patch
- Implement principle of least privilege: Review and reduce user roles with Subscriber access or higher.
- Enable database transaction logging and regular backups to facilitate recovery if data is deleted.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Originality.ai AI Checker → Version. If version is 1.0.12 or lower, you are vulnerable.Check Version:
wp plugin list --name=originality-ai --field=versionVerify Fix Applied:
After update, verify plugin version is 1.0.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE queries targeting wp_originalityai_log table
- Multiple failed authentication attempts followed by successful login and data deletion
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=ai_scan_result_remove
SIEM Query:
SELECT * FROM logs WHERE (url LIKE '%admin-ajax.php%' AND parameters LIKE '%ai_scan_result_remove%') OR (sql_query LIKE '%DELETE FROM wp_originalityai_log%')