The vulnerability is a Cross‑Site Request Forgery flaw in the opicron Image Cleanup plugin, affecting all released versions up to and including 1.9.2. Because the plugin does not validate that incoming requests originate from an authenticated user, an attacker who can trick a legitimate administrator into visiting a crafted URL can cause the plugin to execute privileged actions such as deleting images or other content. This flaw is classified as CWE‑352.

Any WordPress site that has installed the Image Cleanup plugin at version 1.9.2 or earlier is potentially vulnerable. The plugin is available under the opicron vendor umbrella, and no additional configuration steps are required to expose the flaw. Owners of WordPress installations should verify if the plugin is present and its version to determine exposure.

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of < 1% suggests exploitation is currently rare. The issue is not listed in the CISA KEV catalog, meaning no widely known exploits have been reported. Attackers would need to convince a victim who is logged into the WordPress administration area to visit a malicious link or otherwise submit a forged request; no additional credentials or technical skills are required beyond normal web interaction. Once the request is processed, the attacker can perform the plugin’s privileged operations without further barriers.