CVE-2025-14629
📋 TL;DR
The Alchemist Ajax Upload WordPress plugin allows unauthenticated attackers to delete arbitrary media attachments due to missing capability checks. This affects all WordPress sites using plugin versions up to and including 1.1. Attackers can permanently remove uploaded files without authentication.
💻 Affected Systems
- Alchemist Ajax Upload WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of media library including critical business images, product photos, or documentation, potentially disrupting website functionality and causing data loss.
Likely Case
Selective deletion of important media files causing website content gaps, broken images, and potential business disruption.
If Mitigated
Minimal impact if plugin is disabled or removed, though existing media remains vulnerable until patched.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint with file parameter. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://wordpress.org/plugins/alchemist-ajax-upload/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Alchemist Ajax Upload'
4. Click 'Deactivate' then 'Delete'
5. Monitor for plugin updates and reinstall only when patched version is available
🔧 Temporary Workarounds
Disable Plugin via wp-config.php
allPrevent plugin from loading by defining it as must-use or disabling via constant
define('DISALLOW_FILE_MODS', true); // Add to wp-config.php
Block Vulnerable Endpoint via .htaccess
linuxBlock access to the vulnerable AJAX endpoint
RewriteEngine On
RewriteRule ^wp-content/plugins/alchemist-ajax-upload/.*\.php$ - [F,L]
🧯 If You Can't Patch
- Remove plugin completely and use alternative file upload solutions
- Implement web application firewall rules to block requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Alchemist Ajax Upload' version 1.1 or earlierCheck Version:
wp plugin list --name='alchemist-ajax-upload' --field=versionVerify Fix Applied:
Confirm plugin is either removed or updated to version after 1.1📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/alchemist-ajax-upload/ with 'delete_file' parameter
- 404 errors for previously existing media files
- Unusual media deletion patterns
Network Indicators:
- POST requests to plugin AJAX endpoints from unauthenticated sources
- Bursts of DELETE-like operations without authentication
SIEM Query:
source="web_server" AND (uri="*alchemist-ajax-upload*" AND method="POST" AND (param="delete_file" OR status=404))🔗 References
- https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231
- https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231
- https://wordpress.org/plugins/alchemist-ajax-upload/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve
