Description
The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data loss through unauthorized deletion of all site attachments
Action: Update Plugin
AI Analysis

Impact

The Find Unused Images plugin for WordPress contains a missing capability check in its fui_delete_image() and fui_delete_all_images() functions in all versions up to 1.0.7. This flaw allows an attacker without authentication to execute those functions and delete every attachment stored on the site, effectively erasing media files and breaking references in posts or pages. The vulnerability is classified as CWE‑862, a missing authorization flaw that directly compromises data integrity.

Affected Systems

WordPress sites that have the Toastwebsites Find Unused Images plugin installed, specifically versions 1.0.7 and earlier.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity for missing authorization. The EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable functions via HTTP requests to the plugin’s endpoints without needing authentication, making the exploitation path straightforward.

Generated by OpenCVE AI on April 22, 2026 at 12:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Find Unused Images plugin to the latest version that includes the missing authorization check.
  • Back up the WordPress database and the attachments directory before applying any update or change.
  • Verify that only users with sufficient capability (e.g., administrator) can trigger the delete functions and consider disabling or removing the plugin if it is not essential to site operation.

Generated by OpenCVE AI on April 22, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Toastwebsites
Toastwebsites find Unused Images
CPEs cpe:2.3:a:toastwebsites:find_unused_images:*:*:*:*:*:wordpress:*:*
Vendors & Products Toastwebsites
Toastwebsites find Unused Images

Wed, 12 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments.
Title Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Toastwebsites Find Unused Images
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:01.931Z

Reserved: 2025-10-20T20:44:00.939Z

Link: CVE-2025-11996

cve-icon Vulnrichment

Updated: 2025-11-12T16:52:43.100Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-11T04:15:45.130

Modified: 2025-12-22T15:03:56.050

Link: CVE-2025-11996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses