The Originality.ai AI Checker plugin for WordPress, up to and including version 1.0.12, contains an improper authorization vulnerability identified as CVE-2025-10902. The root cause is the absence of a proper capability check in the 'ai_scan_result_remove' function, which is responsible for deleting scan result data stored in the wp_originalityai_log database table. This table holds sensitive information such as post titles, AI scan scores, credits used for scans, and other metadata related to content originality checks. Because the function lacks authorization validation, any authenticated user with at least Subscriber-level privileges can invoke this function to delete all records in the table. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, and impacts integrity but not confidentiality or availability. There are no known exploits in the wild, and no patches have been published at the time of disclosure. This vulnerability falls under CWE-285 (Improper Authorization), indicating that the plugin fails to enforce proper access control on sensitive operations. The impact is primarily data integrity loss, which can disrupt content originality verification workflows and audit trails within WordPress sites using this plugin.

For European organizations, especially those relying on WordPress for content management and using the Originality.ai AI Checker plugin, this vulnerability can lead to unauthorized deletion of critical data related to content originality verification. Loss of scan results and related metadata can impair editorial workflows, reduce trust in content authenticity processes, and potentially cause operational disruptions. Although the vulnerability does not expose confidential data or cause denial of service, the integrity loss could affect compliance with content governance policies and audit requirements. Organizations in sectors such as media, publishing, education, and digital marketing—where content originality verification is crucial—may face reputational damage or operational inefficiencies. The ease of exploitation by low-privilege users increases the risk, especially in environments with many contributors or where subscriber accounts are widely granted. Since the vulnerability affects data integrity without impacting availability or confidentiality, the overall business impact is moderate but non-negligible.

Until an official patch is released, European organizations should implement the following mitigations: 1) Restrict Subscriber-level user permissions by reviewing and limiting who can authenticate with such roles, minimizing the number of users with access to the vulnerable function. 2) Employ WordPress security plugins or custom code to enforce capability checks on the 'ai_scan_result_remove' function, effectively adding missing authorization controls. 3) Monitor and audit database changes to the wp_originalityai_log table to detect unauthorized deletions promptly. 4) Regularly back up the WordPress database, including the wp_originalityai_log table, to enable restoration in case of data loss. 5) Educate content contributors and administrators about the risk and encourage reporting of suspicious activities. 6) Once available, apply the official security patch from Originality.ai immediately. 7) Consider isolating or disabling the Originality.ai plugin temporarily if the risk outweighs the benefits until a fix is deployed. These steps go beyond generic advice by focusing on role management, monitoring, and interim protective controls specific to this vulnerability.