{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14913", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T19:29:05.828Z", "datePublished": "2025-12-25T23:20:02.743Z", "dateUpdated": "2026-04-08T16:37:55.266Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:55.266Z"}, "affected": [{"vendor": "wpshuffle", "product": "Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments."}], "title": "Frontend Post Submission Manager Lite <= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91"}, {"url": "https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-12-18T19:44:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-25T11:05:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T14:49:18.855238Z", "id": "CVE-2025-14913", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T14:51:18.712Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T14:49:18.855238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T14:49:19.941Z"}}], "cna": {"title": "Frontend Post Submission Manager Lite <= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpshuffle", "product": "Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-18T19:44:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-25T11:05:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91"}, {"url": "https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite"}], "descriptions": [{"lang": "en", "value": "The Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:55.266Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14913", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:55.266Z", "dateReserved": "2025-12-18T19:29:05.828Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-25T23:20:02.743Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments."}], "id": "CVE-2025-14913", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-26T00:16:00.030", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:59:43.477838+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.2.6 that contains the missing authorization fix.", "If an immediate upgrade isn\u2019t possible, restrict the media_delete_action endpoint so that only authenticated or privileged users can access it, effectively disabling unauthenticated delete capabilities.", "Implement a web\u2011application firewall rule that blocks unauthenticated DELETE or POST requests to the media_delete_action URL to provide a temporary protective barrier."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized attachment deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Frontend Post Submission Manager Lite plugin from version 1.0 up to and including 1.2.6. These installations are directly vulnerable until the plugin is updated to a more recent release that implements proper authentication checks for the delete action.", "description_and_impact": "The Frontend Post Submission Manager Lite plugin contains a missing authorization flaw in the media_delete_action function that allows any unauthenticated web user to delete files stored on the server. Because the vulnerability permits arbitrary removal of attachments, an attacker can erase media used by a WordPress site, compromising content availability and potentially disrupting user experience. This flaw falls under CWE\u2011862, a missing authorization weakness. The impact is data loss rather than code execution or privilege escalation.", "risk_and_exploitability": "With a CVSS score of 5.3, the overall severity is moderate; the EPSS score is below 1\u202f%, indicating low predicted exploitation likelihood, and the vulnerability is not catalogued in the CISA KEV list. The flaw can be exploited remotely by sending an unauthenticated HTTP request to the media_delete_action endpoint, so any publicly accessible WordPress installation that has the plugin enabled is potentially at risk. No additional credentials or network proximity are required, making the attack vector effectively public."}}}}, "created": "2025-12-29T23:04:18.817024+00:00", "updated": "2026-04-22T16:00:12.110403+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpshuffle", "wpshuffle$PRODUCT$frontend_post_submission_manager"]}