The Originality.ai AI Checker plugin for WordPress suffers from an improper authorization vulnerability identified as CVE-2025-10902 (CWE-285). The vulnerability exists because the 'ai_scan_result_remove' function lacks a capability check, which is intended to restrict access to authorized users only. As a result, any authenticated user with at least Subscriber-level privileges can invoke this function to delete all entries in the wp_originalityai_log database table. This table stores critical data such as post titles, AI scan scores, and credits used for scans. The vulnerability affects all plugin versions up to and including 1.0.12. The CVSS v3.1 base score is 4.3, reflecting a medium severity level due to the ease of exploitation (low attack complexity, no user interaction) and the limited impact scope (integrity loss only). The flaw does not expose confidential information or cause denial of service but compromises data integrity by enabling unauthorized data deletion. No patches or fixes have been linked yet, and no active exploitation has been reported. The vulnerability is network exploitable and requires authentication but no elevated privileges beyond Subscriber role, which is commonly assigned to registered users on WordPress sites.

This vulnerability primarily impacts the integrity of data maintained by the Originality.ai AI Checker plugin. Unauthorized deletion of the wp_originalityai_log table entries can result in loss of historical scan data, including post titles and AI-generated originality scores, which may affect content management and auditing processes. Organizations relying on this plugin for content originality verification could face operational disruptions and reduced trust in their content validation workflows. Although it does not directly expose sensitive data or cause service outages, the ability for low-privilege users to delete data could be leveraged in targeted attacks to sabotage content integrity or cover tracks. The impact is more significant for larger organizations or content-heavy websites that depend on accurate AI scan logs for compliance or editorial oversight. Since the vulnerability requires authenticated access, the risk is higher in environments with weak user account management or where subscriber accounts are widely distributed.

To mitigate this vulnerability, organizations should immediately restrict Subscriber-level user capabilities to the minimum necessary and audit user roles to ensure no unauthorized accounts exist. Implement strict access control policies on WordPress user roles, especially limiting the number of users with Subscriber or higher privileges. Monitor and log all database modification activities related to the wp_originalityai_log table to detect suspicious deletions. Until an official patch is released, consider disabling or uninstalling the Originality.ai AI Checker plugin if it is not critical to operations. If continued use is necessary, apply custom code or security plugins to enforce capability checks on the 'ai_scan_result_remove' function, ensuring only authorized administrators can execute it. Regularly back up the WordPress database, including plugin-specific tables, to enable recovery from unauthorized deletions. Stay alert for updates from the vendor and apply patches promptly once available.