CVE-2025-14913
Unknown Unknown - Not Provided
Authorization Bypass in Frontend Post Submission Lite Allows Data Deletion

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: Wordfence

Description
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-06-16
AI Q&A
2025-12-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence frontend_post_submission_manager_lite 1.2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14913 is a vulnerability in the Frontend Post Submission Manager Lite WordPress plugin (up to version 1.2.6) where the authorization checks for deleting media attachments are insecure. Specifically, the plugin uses an MD5 hash of the media's attachment date as a key to authorize deletion requests. Because these dates can be predictable or guessable, unauthenticated attackers can exploit this weakness to delete arbitrary media attachments without proper authorization. [1]

Impact Analysis

This vulnerability allows unauthenticated attackers to delete arbitrary media attachments from a WordPress site using the vulnerable plugin. This can lead to unauthorized loss of data, potentially removing important images or files from the site, disrupting content availability and site functionality. [1]

Detection Guidance

This vulnerability involves unauthorized deletion of media attachments via the 'media_delete_action' AJAX handler in the Frontend Post Submission Manager Lite plugin. Detection can focus on monitoring suspicious POST requests to the AJAX endpoint that include 'media_delete_action' without proper authorization. You can inspect web server logs for POST requests to admin-ajax.php with the action parameter set to 'fpsml_media_delete_action'. For example, using grep on Apache logs: `grep 'action=fpsml_media_delete_action' /var/log/apache2/access.log` or similar for your web server. Additionally, monitoring for unexpected deletions of media attachments in WordPress or unusual 403 or 200 responses to such AJAX calls may help detect exploitation attempts. Since the authorization relies on MD5 hashes of attachment dates, attempts with guessed keys might be visible in logs. No specific built-in commands are provided, but log inspection and monitoring AJAX POST requests targeting media deletion is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the Frontend Post Submission Manager Lite plugin to a version later than 1.2.6 if available, as the vulnerability affects all versions up to and including 1.2.6. 2. If an update is not immediately available, restrict access to the AJAX endpoints handling media deletion by implementing additional access controls, such as IP whitelisting or requiring authenticated users. 3. Monitor and audit media deletions to detect unauthorized activity. 4. Consider disabling or removing the plugin temporarily if it is not essential. These steps help prevent unauthorized media deletion exploiting the weak authorization mechanism based on predictable MD5 hashes. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart