CVE-2025-10901 identifies a missing authorization vulnerability (CWE-862) in the Originality.ai AI Checker plugin for WordPress, present in all versions up to 1.0.12. The vulnerability stems from the absence of a capability check on the 'ai_get_table' function, which is responsible for retrieving data from the wp_originalityai_log database table. This table contains sensitive information including post titles, AI scan scores, credits used, and potentially other metadata related to content originality checks. Because the plugin fails to verify whether the requesting user has sufficient privileges, any authenticated user with Subscriber-level access or higher can invoke this function and retrieve the entire contents of this table. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require the attacker to be authenticated with at least minimal privileges. The CVSS v3.1 score is 4.3 (medium), reflecting the limited scope of impact (confidentiality only) and the low complexity of exploitation. There is no impact on integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild. The issue was reserved in September 2025 and published in October 2025 by Wordfence. The plugin is used primarily on WordPress sites that utilize AI-based originality checking for content, making it relevant for content-heavy websites and digital publishers.

For European organizations, this vulnerability poses a confidentiality risk by exposing sensitive content-related data to unauthorized users with minimal privileges. This could lead to leakage of unpublished post titles, internal scoring metrics, and usage data that might be leveraged for competitive intelligence or social engineering attacks. While the vulnerability does not allow modification or deletion of data, the exposure of internal metrics and content metadata could undermine trust and violate data protection policies, especially under GDPR if personal data or user-generated content is involved. Organizations relying on Originality.ai for content originality verification, such as media companies, educational institutions, and digital marketing agencies, are particularly at risk. The breach could also facilitate further attacks if attackers use the exposed data to craft targeted phishing or privilege escalation attempts. The lack of known exploits reduces immediate risk, but the ease of exploitation and the widespread use of WordPress in Europe mean the threat should be taken seriously.

1. Monitor for plugin updates from Originality.ai and apply patches promptly once released to address the missing authorization check. 2. Until patches are available, restrict Subscriber-level user accounts from accessing the plugin’s functionality by modifying user roles or capabilities using WordPress role management plugins. 3. Implement strict access controls and audit logging on WordPress sites to detect unusual access patterns to the wp_originalityai_log table or plugin endpoints. 4. Consider disabling or uninstalling the Originality.ai AI Checker plugin if it is not essential to reduce attack surface. 5. Conduct internal reviews of user privileges to ensure minimal necessary access is granted, especially for Subscriber roles. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious API calls targeting the vulnerable function. 7. Educate site administrators about the risks of privilege escalation and unauthorized data access related to plugins. 8. Regularly back up WordPress databases and monitor for unauthorized data exfiltration attempts.