Description
The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.
Published: 2025-10-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss
Action: Immediate Patch
AI Analysis

Impact

The Originality.ai AI Checker plugin for WordPress contains a missing authorization check in its 'ai_scan_result_remove' function. Because the plugin fails to verify user capabilities, any authenticated user with Subscriber-level access or higher can call this function and delete all entries in the wp_originalityai_log table. This table holds post titles, scan scores, credit usage, and related metadata, so deletions result in irreversible loss of valuable audit and content data. The vulnerability is a classic privilege‑escalation/authorization flaw (CWE‑285) that affects confidentiality of audit information and the integrity of system logs.

Affected Systems

All installations of the Originality.ai AI Checker plugin through version 1.0.15 are affected. The plugin is distributed under the originalityai:Originality.ai AI Checker CNA and is a WordPress plugin that adds AI‑based content originality checking. Users should verify which version they are running and consider upgrading to version 1.0.16 or newer.

Risk and Exploitability

Although the CVSS score is 4.3, the vulnerability can be exploited by any logged‑in user with Subscriber roles, a common level of access in many sites. The EPSS score is less than 1 %, indicating a low publicly observed exploitation probability, and the issue is not listed in CISA’s KEV catalog. Nonetheless, because delete operations cannot be recovered except via backups, the impact on the affected systems is significant. The attack vector is straightforward: a user who can authenticate to the WordPress admin area can invoke the deletion endpoint directly, assuming no additional protective filters are in place.

Generated by OpenCVE AI on April 22, 2026 at 14:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Originality.ai AI Checker plugin to version 1.0.16 or later, which restores proper capability checks for the deletion function.
  • Use a role‑management plugin (e.g., User Role Editor) to remove the ability for Subscriber roles to access the 'ai_scan_result_remove' endpoint until a patch is applied.
  • Back up the wp_originalityai_log table immediately to preserve audit data before modifying user roles or the plugin.

Generated by OpenCVE AI on April 22, 2026 at 14:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data. The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.
Title Originality.ai AI Checker <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove' Originality.ai AI Checker <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove'
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.
Title Originality.ai AI Checker <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove'
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:39.086Z

Reserved: 2025-09-23T23:43:02.828Z

Link: CVE-2025-10902

cve-icon Vulnrichment

Updated: 2025-10-24T12:10:44.981Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:42.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:15:20Z

Weaknesses