Description
Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image delete-original-image allows Cross Site Request Forgery.This issue affects Delete Original Image: from n/a through <= 0.4.
Published: 2025-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the Delete Original Image WordPress plugin. The missing CSRF token validation (CWE‑352) enables an attacker to force a logged‑in user to execute delete actions that remove original images from the site. As a result, the integrity of media assets is compromised, leading to permanent data loss when images are removed without consent.

Affected Systems

The issue affects the Carlos Minatti Delete Original Image plugin for WordPress, with all releases up to and including version 0.4. Any WordPress host that has installed this plugin, particularly sites that retain original media, is vulnerable.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate risk. The EPSS score of < 1 % reflects a very low probability of exploitation at the current time, and the vulnerability is not listed in KEV. Attackers would need the victim to be authenticated to the target site and would rely on an HTTP request that bypasses the missing CSRF check. If such a request is crafted, image files could be deleted automatically by the plugin’s action hooks.

Generated by OpenCVE AI on May 2, 2026 at 03:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Delete Original Image to the latest release (0.5 or later) which implements proper CSRF protection.
  • If an upgrade is unavailable, disable or uninstall the plugin to eliminate the deletion capability.
  • Configure site‑wide security measures such as a web‑application firewall or CSRF‑token enforcement plugin to monitor and block suspicious delete requests.

Generated by OpenCVE AI on May 2, 2026 at 03:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7833 Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image allows Cross Site Request Forgery. This issue affects Delete Original Image: from n/a through 0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image allows Cross Site Request Forgery. This issue affects Delete Original Image: from n/a through 0.4. Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image delete-original-image allows Cross Site Request Forgery.This issue affects Delete Original Image: from n/a through <= 0.4.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00024}

 epss

{'score': 0.00034}

Wed, 19 Mar 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Carlosminatti
Carlosminatti delete Original Image
CPEs cpe:2.3:a:carlosminatti:delete_original_image:*:*:*:*:*:wordpress:*:*
Vendors & Products Carlosminatti
Carlosminatti delete Original Image

Wed, 12 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image allows Cross Site Request Forgery. This issue affects Delete Original Image: from n/a through 0.4.
Title WordPress Delete Original Image plugin <= 0.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Carlosminatti Delete Original Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.198Z

Reserved: 2025-03-11T08:08:42.175Z

Link: CVE-2025-28863

cve-icon Vulnrichment

Updated: 2025-03-12T15:03:23.934Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:43.647

Modified: 2026-06-17T09:04:47.283

Link: CVE-2025-28863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)