CVE-2025-14629
Unauthorized Media Deletion in Alchemist Ajax Upload WordPress Plugin
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rajesh_tandukar | alchemist_ajax_upload | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14629 is a vulnerability in the Alchemist Ajax Upload WordPress plugin (up to version 1.1) that allows unauthenticated attackers to delete arbitrary media files. This happens because the plugin's 'delete_file' function lacks proper capability checks, meaning it does not verify if the user has permission to delete files. The plugin supports AJAX-based image uploads and deletions accessible even to non-logged-in users, and the deletion process can be triggered via AJAX calls without sufficient validation, enabling unauthorized media file deletion. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers who are not logged in to delete any media files (attachments) in your WordPress site that uses the Alchemist Ajax Upload plugin. This could lead to loss of important media content, disruption of website functionality, and potential damage to your site's appearance or content integrity. Since the deletion is unauthorized, it compromises the integrity and availability of your media assets. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized deletion requests to the AJAX endpoint handling media deletions in the Alchemist Ajax Upload plugin. Since the plugin uses AJAX calls with a POST parameter 'attach_id' to delete media files without proper capability checks, monitoring HTTP POST requests to the plugin's AJAX delete handler URL for suspicious activity can help detect exploitation attempts. Additionally, inspecting WordPress media library for unexpected missing attachments or deletion logs may indicate exploitation. Specific commands could include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to URLs containing 'aaiu_delete' or scanning web server logs for POST requests to such endpoints. For example, on a Linux server, you might use: 1. To search web server logs for suspicious delete requests: grep -i 'POST.*aaiu_delete' /var/log/apache2/access.log 2. To monitor live HTTP traffic for delete requests: sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'aaiu_delete' However, no specific detection commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Disable or uninstall the Alchemist Ajax Upload plugin, especially since it has been closed and is no longer maintained as of January 21, 2026. 2. Restrict access to the AJAX endpoints related to file deletion ('aaiu_delete') by implementing server-level access controls or firewall rules to block unauthenticated requests. 3. Review and restore any deleted media files from backups if exploitation is suspected. 4. Monitor and audit user activity and logs for unauthorized deletions. 5. If continued use is necessary, apply custom patches or code modifications to enforce proper capability checks on the 'delete_file' function to prevent unauthorized deletions. Since the plugin lacks proper capability checks on deletion, ensuring only authenticated and authorized users can perform deletions is critical. Given the plugin is deprecated and unavailable for download pending review, removing it is the safest immediate action. [2, 3]