CVE-2025-10902 is an improper authorization vulnerability (CWE-285) found in the Originality.ai AI Checker plugin for WordPress, affecting all versions up to and including 1.0.12. The vulnerability arises because the 'ai_scan_result_remove' function lacks a proper capability check, allowing any authenticated user with Subscriber-level access or higher to invoke this function and delete all entries in the wp_originalityai_log database table. This table stores critical data such as post titles, AI scan scores, credits used, and other metadata related to the plugin's AI content analysis. The vulnerability does not require elevated privileges beyond Subscriber-level, which is a low-level role typically assigned to users with minimal permissions, making exploitation easier within compromised or multi-user environments. The attack vector is remote network-based, requiring only authentication and no user interaction beyond login. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but significant impact on data integrity. No patches or fixes have been published at the time of disclosure, and no known exploits are currently active in the wild. The vulnerability could be exploited to sabotage the integrity of AI content scanning logs, potentially disrupting content verification workflows and causing loss of audit trails or usage data. Organizations relying on Originality.ai for content originality verification may face operational challenges and data loss.

For European organizations, this vulnerability poses a risk primarily to the integrity of data related to AI content scanning and originality verification. Loss or deletion of wp_originalityai_log data could disrupt content management workflows, impair audit and compliance processes, and reduce trust in automated content verification systems. Organizations in sectors such as media, publishing, education, and digital marketing that use WordPress with the Originality.ai plugin are particularly vulnerable. Although the vulnerability does not directly compromise confidentiality or availability, the deletion of scan results and usage data can lead to operational downtime and increased administrative overhead to restore or verify content authenticity. Additionally, unauthorized data deletion could be leveraged as part of a broader attack to cover tracks or sabotage content integrity. The requirement for authenticated access means that insider threats or compromised low-privilege accounts pose the greatest risk. European organizations must consider GDPR implications if data loss affects personal data or audit records. The medium severity rating indicates that while the threat is not critical, it requires timely attention to prevent potential operational impact.

To mitigate this vulnerability, European organizations should immediately review and restrict WordPress user roles and permissions, ensuring that Subscriber-level accounts are tightly controlled and monitored. Implement multi-factor authentication (MFA) to reduce the risk of account compromise. Regularly audit user activity logs to detect unauthorized attempts to invoke the 'ai_scan_result_remove' function or unusual deletion patterns in the wp_originalityai_log table. Backup the WordPress database frequently, including plugin-specific tables, to enable rapid recovery in case of data deletion. Until an official patch is released, consider temporarily disabling or uninstalling the Originality.ai AI Checker plugin if it is not critical to operations. Engage with the plugin vendor or WordPress security communities to monitor for updates or patches addressing this vulnerability. Additionally, implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. Educate content managers and administrators about the risks of low-privilege account misuse and enforce the principle of least privilege across all WordPress user roles.