CVE-2025-14629 MEDIUM

CVE-2025-14629: Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion

Vendor Tandubhai

Product Alchemist Ajax Upload

Weakness CWE-862 · Missing authorization

Published January 24, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments.

Explanation of Vulnerability in Simple Terms

02Summary

Alchemist Ajax Upload versions 1.1 and earlier lack proper authorization checks on file upload functionality. An attacker can upload files to the affected system without authentication. The vulnerability allows modification of site content through unauthorized file uploads, though it does not expose sensitive data or cause service disruption.

What an attacker can do

03Attacker Capabilities

Upload files to the site without logging in or having permission to do so.

Potential impact on your site

04Site Impact

Attackers can upload malicious files, potentially replacing legitimate content or injecting code into your site.

Conditions required to exploit

05Prerequisites

Network access to the upload endpoint; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 24, 2026 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-14629 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities