CVE-2025-11996 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Find Unused Images plugin for WordPress, developed by toastwebsites. The vulnerability exists because the plugin fails to perform proper capability checks in the fui_delete_image() and fui_delete_all_images() functions. These functions are responsible for deleting individual or all unused images (attachments) from a WordPress site. Due to the missing authorization, unauthenticated attackers can invoke these functions remotely without any credentials or user interaction, enabling them to delete all attachments on the site. This results in unauthorized data loss, specifically the deletion of media files that may be critical for website content and functionality. The vulnerability affects all versions up to and including 1.0.7 of the plugin. The CVSS v3.1 base score is 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts only integrity (I:L) without affecting confidentiality (C:N) or availability (A:N). No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on October 20, 2025, and published on November 11, 2025.

The primary impact of this vulnerability is unauthorized deletion of media attachments on WordPress sites using the affected plugin. This compromises the integrity of website content, potentially causing significant disruption to site appearance, functionality, and user experience. Organizations relying on this plugin may face data loss that could require time-consuming restoration from backups or manual re-upload of media assets. Although the vulnerability does not directly affect confidentiality or availability, the loss of media files can indirectly affect availability by degrading site usability and trustworthiness. For e-commerce, media-heavy, or content-driven websites, this could lead to reputational damage, loss of customer trust, and potential revenue loss. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, increasing the risk of opportunistic attacks. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability's simplicity and impact make it a likely target for future attacks.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations for the presence of the Find Unused Images plugin, especially versions up to 1.0.7. If the plugin is installed, disable or uninstall it until a patched version is released. Since no official patch links are currently available, monitoring the vendor's announcements and WordPress plugin repository for updates is critical. As a temporary measure, restrict access to the plugin's endpoints via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting the vulnerable functions. Implement strict file and directory permissions to limit the plugin's ability to delete attachments. Regularly back up all website data, including media files, to enable rapid recovery in case of exploitation. Additionally, consider deploying intrusion detection systems (IDS) or monitoring tools to detect unusual deletion activities. Educate site administrators about the risks of installing unverified plugins and encourage the use of plugins with active maintenance and security support.