{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14629", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-12T21:31:04.419Z", "datePublished": "2026-01-24T07:26:45.155Z", "dateUpdated": "2026-04-08T17:04:46.584Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:46.584Z"}, "affected": [{"vendor": "tandubhai", "product": "Alchemist Ajax Upload", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments."}], "title": "Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve"}, {"url": "https://wordpress.org/plugins/alchemist-ajax-upload/"}, {"url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Camilla Flocco"}], "timeline": [{"time": "2026-01-23T19:18:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:18:47.839507Z", "id": "CVE-2025-14629", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:18:54.374Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14629", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:18:47.839507Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:18:51.485Z"}}], "cna": {"title": "Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Camilla Flocco"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "tandubhai", "product": "Alchemist Ajax Upload", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T19:18:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve"}, {"url": "https://wordpress.org/plugins/alchemist-ajax-upload/"}, {"url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231"}], "descriptions": [{"lang": "en", "value": "The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:46.584Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14629", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:46.584Z", "dateReserved": "2025-12-12T21:31:04.419Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T07:26:45.155Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments."}, {"lang": "es", "value": "El plugin Alchemist Ajax Upload para WordPress es vulnerable a la eliminaci\u00f3n no autorizada de archivos multimedia debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'delete_file' en todas las versiones hasta la 1.1, inclusive. Esto hace posible que atacantes no autenticados eliminen archivos adjuntos multimedia arbitrarios de WordPress."}], "id": "CVE-2025-14629", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:05.713", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/alchemist-ajax-upload/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:11:37.343735+00:00", "value": {"mitigation_remediation": ["Upgrade the Alchemist Ajax Upload plugin to a version newer than 1.1, if available.", "If an upgrade is not possible, disable or uninstall the plugin to eliminate the deletion endpoint.", "As a temporary measure, restrict access to the upload and media deletion endpoints through role\u2011based permissions or firewall rules, ensuring that only authenticated users with proper capabilities can perform file deletions."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted Deletion of Media Files"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Alchemist Ajax Upload plugin of version 1.1 or earlier installed. The plugin is maintained by vendor tandubhai and is publicly available through the WordPress plugin repository.", "description_and_impact": "The Alchemist Ajax Upload plugin for WordPress suffers from a missing capability check in the delete_file function, allowing attackers without authentication to delete any media attachment. This flaw enables arbitrary removal of images, videos, and other media assets that are critical to site integrity and user experience. The weakness corresponds to CWE-862, a missing authorization vulnerability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of <\u202f1\u202f% shows a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be unauthenticated: any user who can access the upload endpoint can trigger the deletion function. Successful exploitation results in loss of media files, potentially degrading the site's marketing materials, user engagement, and overall credibility."}}}}, "created": "2026-01-26T11:48:25.334698+00:00", "updated": "2026-04-21T16:15:40.506008+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}