CVE-2025-8268 identifies a missing authorization vulnerability (CWE-862) in the tigroumeow AI Engine plugin for WordPress, affecting all versions up to 2.9.5. The vulnerability arises because the plugin's rest_list and delete_files functions do not perform proper capability checks before allowing access. As a result, unauthenticated attackers can remotely invoke these functions via the WordPress REST API to enumerate files uploaded by other users and delete them without any authentication or user interaction. This lack of access control undermines the confidentiality and integrity of user-uploaded data. The vulnerability is network exploitable with low attack complexity and no privileges required, making it accessible to a wide range of attackers. Although there are no known exploits in the wild yet, the potential for data loss and unauthorized data exposure is significant. The vulnerability does not impact availability directly but can cause data integrity issues through unauthorized deletions. The CVSS 3.1 base score of 6.5 reflects these factors, categorizing it as a medium severity issue. The vulnerability was publicly disclosed on September 3, 2025, and no official patches have been linked yet, increasing the urgency for organizations to implement interim mitigations. Given the widespread use of WordPress globally and the growing adoption of AI-related plugins, this vulnerability could affect a broad range of websites, especially those relying on tigroumeow AI Engine for AI-powered content or services.

The primary impact of CVE-2025-8268 is unauthorized access to and deletion of user-uploaded files within WordPress sites using the tigroumeow AI Engine plugin. This can lead to loss of critical data, disruption of website functionality, and potential exposure of sensitive information. For organizations, this undermines data integrity and confidentiality, potentially damaging reputation and trust with users. Attackers could exploit this vulnerability to delete important media or documents, causing operational disruptions and requiring costly recovery efforts. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the likelihood of exploitation. Although availability is not directly affected, the deletion of files can indirectly disrupt services relying on those files. Organizations in sectors such as e-commerce, media, education, and any business relying on WordPress for content management are particularly at risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly after public disclosure.

1. Immediately restrict access to the tigroumeow AI Engine plugin’s REST API endpoints (rest_list and delete_files) using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. 2. Monitor web server and WordPress logs for unusual or unauthorized REST API calls targeting these functions to detect potential exploitation attempts. 3. Disable or uninstall the tigroumeow AI Engine plugin if it is not essential to reduce attack surface until an official patch is released. 4. Implement strict file permission policies on the server to limit the ability of the plugin to delete files outside its intended scope. 5. Keep WordPress core and all plugins updated; watch for official patches or security updates from tigroumeow and apply them promptly. 6. Employ multi-factor authentication and least privilege principles for WordPress admin accounts to reduce the risk of broader compromise. 7. Regularly back up all website data, including user-uploaded files, to enable rapid recovery in case of data deletion. 8. Engage in threat intelligence sharing within the WordPress community to stay informed about emerging exploits or mitigation techniques related to this vulnerability.