CVE-2025-53272

Vulnerability

Details The Image Cleanup plugin for WordPress (version ≤ 1.9.2) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw occurs because the plugin does not properly validate or verify requests made by authenticated users, allowing an attacker to trick a privileged user into performing unintended actions [1].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious link or page that, when visited by an authenticated administrator or other privileged user, triggers an unwanted action within the plugin. The attack does not require direct interaction beyond the victim clicking a link or submitting a form. However, the attacker cannot execute actions without user interaction [1].

Impact

Successful exploitation could allow an attacker to force higher privileged users to execute unwanted actions under their current authentication session. Potential consequences include unauthorized modifications to image cleanup settings, deletion of images, or other operations within the plugin's capabilities [1].

Mitigation

The vulnerability affects all versions up to and including 1.9.2. Users are strongly advised to update the plugin to the latest patched version if available. If an update is not possible, users should implement additional security measures such as CSRF tokens or restrict administrative access [1].