CVE-2025-62736

Vulnerability

Description The Image Cleanup WordPress plugin versions through 1.9.2 are affected by a missing authorization vulnerability [1]. This flaw is categorized as a broken access control issue, where the plugin fails to properly enforce access controls on certain functions, allowing an unprivileged user to execute higher privileged actions.

Exploitation

An attacker can exploit this vulnerability without needing to authenticate, by sending crafted requests to the vulnerable plugin endpoints. The lack of proper authorization checks enables the attacker to access or modify resources that should be restricted. This type of vulnerability is commonly used in mass-exploit campaigns targeting WordPress sites [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as deleting or manipulating image data, potentially leading to site defacement or data loss. The CVSS v3 score of 4.3 indicates a medium severity, but the ease of exploitation increases the risk for unpatched sites.

Mitigation

The vendor has addressed this issue in a subsequent update. Users are strongly advised to update the Image Cleanup plugin to version 1.9.3 or later. If immediate update is not possible, consider contacting your hosting provider or a web developer for temporary workarounds [1].