Cyber Resilience

CVE-2025-28863

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0016 37.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28863 is a medium-severity CSRF (CWE-352) vulnerability in Carlosminatti Delete Original Image. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28863 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Delete Original Image developed by Carlos Minatti. The flaw affects all versions of the plugin up to and including 0.4, enabling attackers to perform forged requests on behalf of authenticated users. It received a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges required, and user interaction needed.

An attacker can exploit this vulnerability by tricking an authenticated WordPress user, such as an administrator, into visiting a malicious webpage that submits a forged request to the plugin's delete function. No attacker authentication is required, but the victim must have sufficient privileges to trigger the action. Successful exploitation results in low integrity impact, potentially allowing unauthorized deletion of original images without the user's knowledge or consent.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/delete-original-image/vulnerability/wordpress-delete-original-image-plugin-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve details the vulnerability and recommends updating to a patched version of the plugin where available, or disabling it if no patch exists. Security practitioners should verify plugin updates via official WordPress repositories and implement CSRF tokens in custom workflows as a general mitigation.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image delete-original-image allows Cross Site Request Forgery.This issue affects Delete Original Image: from n/a through <= 0.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF vuln in public-facing WordPress plugin exploited by tricking authenticated user to visit malicious webpage (T1190 for public-facing app exploitation; T1204.001 for malicious link delivery requiring user interaction).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

carlosminatti
delete original image
≤ 0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CSRF vulnerability by requiring timely remediation through patching the affected Delete Original Image plugin versions up to 0.4.

prevent

Enforces session authenticity mechanisms such as CSRF tokens to prevent forged requests from tricking authenticated users into deleting original images.

prevent

Validates inputs to the plugin's delete function, ensuring requests include proper CSRF protections and rejecting unauthorized forged submissions.

References