CVE-2025-14629

The Alchemist Ajax Upload plugin for WordPress, versions up to and including 1.1, suffers from a missing capability check in the delete_file function. This function is intended for managing media uploads but fails to verify that the requesting user has the necessary permissions, such as the delete_others_posts or upload_files capability [1].

An unauthenticated attacker can exploit this by sending a specially crafted request to the delete_file endpoint, providing an arbitrary media attachment ID. No authentication or prior privileges are required, making the attack surface wide and simple to execute [1].

The direct impact is unauthorized deletion of any WordPress media attachment, including images, documents, and other uploaded files. This can cause data loss, defacement of the site (by removing critical media), and disruption of services that rely on uploaded content. The plugin has been closed on the WordPress plugin repository due to this security issue as of January 21, 2026 [1].

Mitigation: The plugin is no longer available for download, and users are strongly advised to uninstall it immediately. No patch exists for version 1.1, and the vulnerability is listed as unauthenticated, with no workaround other than removing the plugin [1].