{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11996", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T20:44:00.939Z", "datePublished": "2025-11-11T03:30:35.905Z", "dateUpdated": "2026-04-08T16:47:01.931Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:01.931Z"}, "affected": [{"vendor": "toastwebsites", "product": "Find Unused Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments."}], "title": "Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa1964e-97e9-4166-89d5-788b336790b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L53"}, {"url": "https://wordpress.org/plugins/find-unused-images/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-11-10T15:16:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"references": [{"url": "https://wordpress.org/plugins/find-unused-images/", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T16:47:57.844815Z", "id": "CVE-2025-11996", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:08:23.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "toastwebsites", "product": "Find Unused Images", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:16:36.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa1964e-97e9-4166-89d5-788b336790b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L53"}, {"url": "https://wordpress.org/plugins/find-unused-images/"}], "descriptions": [{"lang": "en", "value": "The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T03:30:35.905Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11996", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T16:47:57.844815Z"}}}], "references": [{"url": "https://wordpress.org/plugins/find-unused-images/", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-11-12T16:52:43.100Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-11996", "state": "PUBLISHED", "dateUpdated": "2025-11-11T03:30:35.905Z", "dateReserved": "2025-10-20T20:44:00.939Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:35.905Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:toastwebsites:find_unused_images:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "90EE6CE1-E2A9-4E8F-8123-CFC4151FE37A", "versionEndIncluding": "1.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments."}], "id": "CVE-2025-11996", "lastModified": "2025-12-22T15:03:56.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:45.130", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L44"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/find-unused-images/tags/1.0.7/inc/generic-functions.php#L53"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/find-unused-images/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa1964e-97e9-4166-89d5-788b336790b6?source=cve"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Product"], "url": "https://wordpress.org/plugins/find-unused-images/"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:00:16.108627+00:00", "value": {"mitigation_remediation": ["Upgrade the Find Unused Images plugin to the latest version that includes the missing authorization check.", "Back up the WordPress database and the attachments directory before applying any update or change.", "Verify that only users with sufficient capability (e.g., administrator) can trigger the delete functions and consider disabling or removing the plugin if it is not essential to site operation."], "summary": {"action": "Update Plugin", "impact": "Data loss through unauthorized deletion of all site attachments"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Toastwebsites Find Unused Images plugin installed, specifically versions 1.0.7 and earlier.", "description_and_impact": "The Find Unused Images plugin for WordPress contains a missing capability check in its fui_delete_image() and fui_delete_all_images() functions in all versions up to 1.0.7. This flaw allows an attacker without authentication to execute those functions and delete every attachment stored on the site, effectively erasing media files and breaking references in posts or pages. The vulnerability is classified as CWE\u2011862, a missing authorization flaw that directly compromises data integrity.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity for missing authorization. The EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable functions via HTTP requests to the plugin\u2019s endpoints without needing authentication, making the exploitation path straightforward."}}}}, "created": "2025-11-12T12:47:41.499801+00:00", "updated": "2026-04-22T12:15:16.040859+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}