The vulnerability identified as CVE-2024-5855 affects the WordPress plugin 'Media Hygiene: Remove or Delete Unused Images and More!' in all versions up to and including 3.0.1. The root cause is a missing authorization check (CWE-862) on two AJAX actions: bulk_action_delete and delete_single_image_call. These actions handle deletion of media attachments but do not verify if the authenticated user has the necessary permissions to perform these deletions. As a result, any authenticated user with Subscriber-level access or above can invoke these AJAX endpoints to delete arbitrary attachments, leading to unauthorized data loss. While version 3.0.1 introduced a nonce check to prevent CSRF, it did not implement a capability check, which was only added in version 3.0.2. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a medium severity primarily due to its limited impact on availability and the requirement for authenticated access. There are no reports of active exploitation in the wild. The vulnerability impacts the integrity and availability of media content within affected WordPress sites, potentially disrupting website operations or content management.

This vulnerability can lead to unauthorized deletion of media attachments on WordPress sites using the affected plugin versions. For organizations, this means potential loss of important images or media files, which can disrupt website content, degrade user experience, and require time-consuming recovery efforts. Although it does not directly impact confidentiality or allow remote code execution, the loss of media assets can affect brand reputation and operational continuity, especially for content-heavy websites such as e-commerce, news, or portfolio sites. Since exploitation requires only Subscriber-level authentication, attackers could leverage compromised or low-privilege accounts to cause damage. The scope is limited to sites running the vulnerable plugin versions, but given WordPress's widespread use, the overall impact can be significant. No known exploits in the wild reduce immediate risk, but the vulnerability remains a concern until patched.

The primary mitigation is to upgrade the 'Media Hygiene: Remove or Delete Unused Images and More!' plugin to version 3.0.2 or later, where the missing capability checks have been implemented. Until upgrading is possible, site administrators should restrict user roles carefully, minimizing Subscriber-level accounts and monitoring for suspicious activity. Implementing strong authentication controls, such as multi-factor authentication, can reduce the risk of account compromise. Additionally, regular backups of media files and the WordPress database will facilitate recovery in case of unauthorized deletions. Site owners should also audit installed plugins regularly to identify and patch vulnerabilities promptly. Monitoring AJAX request logs for unusual deletion activity can help detect exploitation attempts. Finally, consider applying a Web Application Firewall (WAF) with custom rules to block unauthorized AJAX calls targeting these endpoints.