Ai Image Alt Text Generator for WP CVE-2025-58207
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.5.
AnalysisAI
Unauthenticated attackers can modify WordPress media library image alt text and potentially disrupt site availability through broken access control in Ai Image Alt Text Generator for WP plugin versions up to 1.1.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation without authentication, though the low 0.06% EPSS score (17th percentile) suggests minimal observed exploitation activity. Patchstack reported this as an authentication bypass vulnerability allowing unauthorized manipulation of image metadata.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), where the WordPress plugin fails to properly verify user permissions before executing sensitive operations. The plugin provides AI-powered functionality to generate alt text for images in the WordPress media library, but lacks adequate access control checks on critical endpoints or functions. The CVSS vector indicates network-accessible exploitation with low complexity and no required privileges, suggesting that plugin API endpoints or AJAX handlers can be invoked directly without WordPress's standard nonce validation or capability checks. This represents a fundamental failure in WordPress security best practices, where all administrative functions must verify current_user_can() permissions and validate nonces to prevent CSRF and unauthorized access.
Affected ProductsAI
The vulnerability affects WP Messiah's Ai Image Alt Text Generator for WP plugin for WordPress, all versions from initial release through version 1.1.5 inclusive. According to Patchstack's database entry, this is a WordPress plugin distributed through the official WordPress.org repository under the slug 'ai-image-alt-text-generator-for-wp'. The vulnerability impacts any WordPress installation running these vulnerable plugin versions, regardless of WordPress core version. No CPE identifier was provided in the available data.
RemediationAI
Upgrade Ai Image Alt Text Generator for WP plugin to version 1.1.6 or later if available, checking the WordPress plugin repository or vendor website for the patched release. Verify the update through WordPress admin dashboard under Plugins > Installed Plugins. If a patched version is not yet released, immediately deactivate and remove the plugin until a fix becomes available, as the authentication bypass cannot be mitigated through configuration changes alone. As a temporary workaround if plugin functionality is critical, implement web application firewall (WAF) rules to restrict access to the plugin's AJAX endpoints (typically /wp-admin/admin-ajax.php with plugin-specific action parameters) to authenticated administrator sessions only, though this requires identifying the specific vulnerable endpoints which are not detailed in available advisories. Monitor the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/ for vendor response and patch release notifications.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today