CVE-2025-28863

CVE-2025-28863 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Delete Original Image developed by Carlos Minatti. The flaw affects all versions of the plugin up to and including 0.4, enabling attackers to perform forged requests on behalf of authenticated users. It received a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges required, and user interaction needed.

An attacker can exploit this vulnerability by tricking an authenticated WordPress user, such as an administrator, into visiting a malicious webpage that submits a forged request to the plugin's delete function. No attacker authentication is required, but the victim must have sufficient privileges to trigger the action. Successful exploitation results in low integrity impact, potentially allowing unauthorized deletion of original images without the user's knowledge or consent.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/delete-original-image/vulnerability/wordpress-delete-original-image-plugin-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve details the vulnerability and recommends updating to a patched version of the plugin where available, or disabling it if no patch exists. Security practitioners should verify plugin updates via official WordPress repositories and implement CSRF tokens in custom workflows as a general mitigation.