CVE-2025-11996 identifies a missing authorization vulnerability (CWE-862) in the 'Find Unused Images' WordPress plugin developed by toastwebsites. This plugin, designed to help site administrators identify and remove unused images, contains critical flaws in two functions: fui_delete_image() and fui_delete_all_images(). These functions lack proper capability checks, meaning they do not verify whether the user initiating the deletion has the necessary permissions. As a result, unauthenticated attackers can invoke these functions remotely to delete all attachments on a WordPress site using this plugin, leading to unauthorized data loss. The vulnerability affects all versions up to and including 1.0.7. The CVSS 3.1 base score is 5.3 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). This means the attacker can remotely delete images without authentication or user interaction, causing integrity loss but not affecting confidentiality or availability. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability poses a significant risk to website content integrity, especially for organizations relying heavily on media assets managed by WordPress. The lack of authorization checks is a critical security oversight that could be exploited to disrupt website operations or cause reputational damage by removing important media files.

For European organizations, this vulnerability can lead to unauthorized deletion of all media attachments on WordPress sites using the affected plugin, resulting in loss of critical visual content, disruption of website functionality, and potential reputational damage. Organizations in sectors such as e-commerce, media, education, and government that rely on WordPress for content management are particularly vulnerable. The loss of images can degrade user experience, impact marketing efforts, and require costly recovery efforts. Since the exploit requires no authentication or user interaction, attackers can automate attacks at scale, increasing the risk of widespread impact. Although availability is not directly affected, the integrity loss can indirectly cause service disruption if media-dependent features break. The absence of known exploits currently reduces immediate risk, but the ease of exploitation and public disclosure increase the likelihood of future attacks. European organizations with limited WordPress security monitoring or outdated plugins are at higher risk. Additionally, the vulnerability could be leveraged as part of a broader attack chain to undermine trust in digital services.

1. Immediately audit WordPress sites for the presence of the 'Find Unused Images' plugin and identify affected versions (up to 1.0.7). 2. Disable or uninstall the plugin until a security patch is released by toastwebsites. 3. Monitor official plugin repositories and vendor communications for patch announcements and apply updates promptly. 4. Implement strict access controls on WordPress administrative interfaces, limiting plugin management capabilities to trusted users only. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable functions. 6. Regularly back up WordPress media libraries and site data to enable rapid restoration in case of data loss. 7. Conduct security awareness training for site administrators about plugin risks and the importance of timely updates. 8. Consider alternative plugins with better security track records for managing unused images. 9. Enable logging and alerting on deletion events within WordPress to detect unauthorized activity early. 10. Review and harden WordPress security configurations, including disabling unnecessary REST API endpoints if applicable.