CVE-2025-8268 is a security vulnerability identified in the AI Engine plugin developed by tigroumeow for WordPress. This vulnerability is classified under CWE-862, which corresponds to missing authorization checks. Specifically, the flaw exists in the rest_list and delete_files functions of the plugin in all versions up to and including 2.9.5. Due to the absence of proper capability checks, unauthenticated attackers can exploit this vulnerability to list and delete files uploaded by other users. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact primarily affects confidentiality and integrity, allowing unauthorized access to sensitive files and the potential deletion of user data. However, availability is not impacted. The CVSS score of 6.5 categorizes this as a medium severity vulnerability. No known exploits have been reported in the wild as of the publication date, and no patches have been linked yet. The vulnerability poses a significant risk to WordPress sites using the tigroumeow AI Engine plugin, especially those that allow file uploads, as attackers can enumerate and remove files belonging to other users, potentially leading to data loss and privacy breaches.

For European organizations, this vulnerability can have several adverse effects. Many European businesses and institutions rely on WordPress for their websites and content management, and the AI Engine plugin may be used to enhance site functionality with AI features. The ability for unauthenticated attackers to list and delete uploaded files can lead to exposure of sensitive or proprietary data, violating data protection regulations such as the GDPR. Data loss caused by unauthorized deletion can disrupt business operations, damage reputation, and incur financial costs related to recovery and compliance penalties. Additionally, the breach of confidentiality may erode customer trust and lead to legal consequences. Organizations in sectors such as e-commerce, media, education, and government, which often handle sensitive user data and rely on WordPress, are particularly at risk. The vulnerability’s ease of exploitation without authentication increases the likelihood of opportunistic attacks, making timely mitigation critical.

European organizations should take immediate and specific actions to mitigate this vulnerability beyond generic advice. First, they should audit their WordPress installations to identify if the tigroumeow AI Engine plugin is installed and determine the version in use. If the plugin is present and running a vulnerable version (up to 2.9.5), organizations should disable or remove the plugin until a security patch is released. If disabling is not feasible, restrict access to the WordPress REST API endpoints related to rest_list and delete_files via web application firewalls (WAFs) or server-level access controls to block unauthenticated requests targeting these functions. Implement strict file upload policies and monitor file system changes to detect unauthorized deletions or listings. Regularly back up uploaded files and site data to enable recovery in case of data loss. Additionally, organizations should subscribe to vendor advisories and security mailing lists to promptly apply patches once available. Conducting penetration testing focusing on REST API endpoints can help identify similar authorization issues. Finally, consider deploying intrusion detection systems (IDS) that can flag unusual REST API activity indicative of exploitation attempts.