CVE-2025-11996
📋 TL;DR
The Find Unused Images WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to delete all image attachments from a WordPress site. This affects all WordPress sites using version 1.0.7 or earlier of the plugin. The vulnerability exists due to missing capability checks in two deletion functions.
💻 Affected Systems
- Find Unused Images WordPress Plugin
📦 What is this software?
Find Unused Images by Toastwebsites
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of all image attachments/media files from the WordPress site, potentially causing broken images across the entire website and requiring restoration from backups.
Likely Case
Attackers mass-delete images, disrupting website functionality and appearance, requiring time-consuming restoration efforts.
If Mitigated
No impact if plugin is updated or disabled, or if proper access controls prevent unauthenticated requests to vulnerable endpoints.
🎯 Exploit Status
Simple HTTP requests to vulnerable endpoints can trigger mass deletion. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.8 or later
Vendor Advisory: https://wordpress.org/plugins/find-unused-images/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Find Unused Images' and click 'Update Now'. 4. If update not available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate find-unused-images
Web Application Firewall Rule
allBlock requests to vulnerable plugin endpoints
Block HTTP requests containing '/wp-admin/admin-ajax.php?action=fui_delete' or similar patterns
🧯 If You Can't Patch
- Deactivate the Find Unused Images plugin immediately
- Implement strict access controls to block unauthenticated requests to /wp-admin/admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Find Unused Images' version 1.0.7 or earlierCheck Version:
wp plugin get find-unused-images --field=versionVerify Fix Applied:
Verify plugin version is 1.0.8 or later, or confirm plugin is deactivated/removed📡 Detection & Monitoring
Log Indicators:
- Multiple DELETE operations on media files from unauthenticated IPs
- HTTP 200 responses to /wp-admin/admin-ajax.php with action=fui_delete parameters
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=fui_delete_image or action=fui_delete_all_images parameters
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query_string CONTAINS "action=fui_delete")🔗 References
- https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L44
- https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L53
- https://wordpress.org/plugins/find-unused-images/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa1964e-97e9-4166-89d5-788b336790b6?source=cve
- https://wordpress.org/plugins/find-unused-images/
