CVE-2025-14629 is a vulnerability identified in the Alchemist Ajax Upload plugin for WordPress, developed by tandubhai. The issue arises due to a missing authorization (capability) check in the 'delete_file' function across all versions up to and including 1.1. This function is responsible for deleting media files uploaded to WordPress sites. Because the plugin fails to verify whether the requester has the necessary permissions to delete files, unauthenticated attackers can invoke this function remotely to delete arbitrary media attachments. The vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper access controls. The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, meaning it is remotely exploitable without authentication or user interaction, impacts integrity but not confidentiality or availability, and affects the same security scope. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability could be exploited by attackers to remove critical media files, potentially disrupting website content and operations dependent on those files.

The primary impact of CVE-2025-14629 is on the integrity of WordPress site content. Unauthorized deletion of media files can lead to loss of images, documents, or other media assets critical for website functionality, branding, or user experience. While it does not directly affect confidentiality or availability, the removal of media can degrade site quality, cause broken links or missing content, and potentially harm business reputation. For organizations relying heavily on WordPress for content management, especially those using the Alchemist Ajax Upload plugin, this vulnerability could be exploited to sabotage media resources or disrupt marketing and communication efforts. The ease of exploitation (no authentication or user interaction required) increases the risk of automated or mass attacks. However, the lack of known exploits and the medium CVSS score suggest the threat is moderate but should not be ignored. Organizations with high reliance on media content and public-facing WordPress sites are most at risk.

Since no official patches are currently available, organizations should implement immediate compensating controls. First, restrict access to the plugin's AJAX endpoints by configuring web application firewalls (WAFs) or server rules to block unauthorized requests targeting the 'delete_file' function. Monitor web server and WordPress logs for unusual or repeated deletion requests, especially from unauthenticated sources. Disable or uninstall the Alchemist Ajax Upload plugin if it is not essential. If the plugin is critical, consider isolating the WordPress instance or limiting media upload permissions to trusted users only. Regularly back up media files and WordPress databases to enable recovery from unauthorized deletions. Stay alert for vendor updates or patches and apply them promptly once available. Additionally, review and harden WordPress user roles and capabilities to minimize exposure to similar authorization issues.