CVE-2025-53272: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WordPress Image Cleanup plugin versions up to 1.9.2. The vulnerability was discovered by security researcher Skalucy and was officially published on June 27, 2025. This security issue affects the Image Cleanup WordPress plugin developed by opicron (Patchstack).

The vulnerability has been assigned CVE-2025-53272 and is classified as CWE-352 (Cross-Site Request Forgery). It received a CVSS v3.1 Base Score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The impact is primarily on integrity, with no effect on confidentiality or availability (NVD, Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The software is considered abandoned as it hasn't received updates for over a year, increasing the potential security risk for users (Patchstack).

As there is no official fix available and the software is considered abandoned, the recommended mitigation strategy is to remove and replace the Image Cleanup plugin with an alternative solution. It's important to note that merely deactivating the software does not remove the security threat unless a virtual patch (vPatch) is deployed (Patchstack).