CVE-2025-10901 is a vulnerability identified in the Originality.ai AI Checker plugin for WordPress, affecting all versions up to and including 1.0.12. The core issue is a missing authorization check (CWE-862) in the 'ai_get_table' function, which is responsible for retrieving data from the wp_originalityai_log database table. This table contains sensitive information such as post titles, AI scan scores, and credits used by the plugin. Because the plugin fails to verify whether the requesting user has sufficient privileges, any authenticated user with Subscriber-level access or higher can exploit this flaw to read all stored log data. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score of 4.3 (medium severity) reflects the vulnerability's impact on confidentiality only, with no effect on integrity or availability. The attack vector is network-based, with low attack complexity and no user interaction required, but it does require some level of authentication. No patches or updates have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability was reserved on 2025-09-23 and published on 2025-10-24 by Wordfence. This vulnerability can lead to unauthorized disclosure of sensitive operational data, which could be leveraged for further attacks or reconnaissance.

For European organizations, the primary impact of CVE-2025-10901 is the unauthorized disclosure of sensitive data stored by the Originality.ai plugin. This includes post titles, AI originality scan scores, and credit usage information, which may reveal editorial workflows, content strategies, or usage patterns. While the vulnerability does not allow modification or deletion of data, the exposure of such information could aid attackers in crafting targeted phishing campaigns or social engineering attacks. Websites relying on this plugin for content originality verification may suffer reputational damage if confidential editorial data is leaked. Additionally, organizations subject to strict data protection regulations like GDPR must consider the potential compliance implications of unauthorized data access. The requirement for authenticated access reduces the attack surface but does not eliminate risk, especially in environments where subscriber accounts are easily created or compromised. The vulnerability is particularly relevant for media companies, educational institutions, and content-heavy websites using WordPress and the affected plugin across Europe.

1. Immediately restrict Subscriber-level user capabilities to prevent unauthorized access to the plugin's data retrieval functions, for example by implementing custom role permissions or limiting plugin access to trusted roles only. 2. Monitor and audit user accounts with Subscriber or higher privileges to detect any suspicious activity or unauthorized access attempts. 3. Apply web application firewall (WAF) rules to detect and block suspicious requests targeting the 'ai_get_table' function or related API endpoints. 4. If possible, disable or uninstall the Originality.ai AI Checker plugin until an official patch or update addressing the missing authorization check is released. 5. Follow vendor communications closely for security updates or patches and apply them promptly once available. 6. Implement network segmentation and least privilege principles to reduce the risk of lateral movement if subscriber accounts are compromised. 7. Educate users about the risks of account compromise and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the likelihood of unauthorized access. 8. Regularly back up WordPress databases and monitor logs for unusual access patterns related to the plugin.