Skip to main content

Ai Image Alt Text Generator for WP CVE-2025-58207

HIGH
Missing Authorization (CWE-862)
2025-11-06 audit@patchstack.com
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 00:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 8.2

DescriptionCVE.org

Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.5.

AnalysisAI

Unauthenticated attackers can modify WordPress media library image alt text and potentially disrupt site availability through broken access control in Ai Image Alt Text Generator for WP plugin versions up to 1.1.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation without authentication, though the low 0.06% EPSS score (17th percentile) suggests minimal observed exploitation activity. Patchstack reported this as an authentication bypass vulnerability allowing unauthorized manipulation of image metadata.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), where the WordPress plugin fails to properly verify user permissions before executing sensitive operations. The plugin provides AI-powered functionality to generate alt text for images in the WordPress media library, but lacks adequate access control checks on critical endpoints or functions. The CVSS vector indicates network-accessible exploitation with low complexity and no required privileges, suggesting that plugin API endpoints or AJAX handlers can be invoked directly without WordPress's standard nonce validation or capability checks. This represents a fundamental failure in WordPress security best practices, where all administrative functions must verify current_user_can() permissions and validate nonces to prevent CSRF and unauthorized access.

Affected ProductsAI

The vulnerability affects WP Messiah's Ai Image Alt Text Generator for WP plugin for WordPress, all versions from initial release through version 1.1.5 inclusive. According to Patchstack's database entry, this is a WordPress plugin distributed through the official WordPress.org repository under the slug 'ai-image-alt-text-generator-for-wp'. The vulnerability impacts any WordPress installation running these vulnerable plugin versions, regardless of WordPress core version. No CPE identifier was provided in the available data.

RemediationAI

Upgrade Ai Image Alt Text Generator for WP plugin to version 1.1.6 or later if available, checking the WordPress plugin repository or vendor website for the patched release. Verify the update through WordPress admin dashboard under Plugins > Installed Plugins. If a patched version is not yet released, immediately deactivate and remove the plugin until a fix becomes available, as the authentication bypass cannot be mitigated through configuration changes alone. As a temporary workaround if plugin functionality is critical, implement web application firewall (WAF) rules to restrict access to the plugin's AJAX endpoints (typically /wp-admin/admin-ajax.php with plugin-specific action parameters) to authenticated administrator sessions only, though this requires identifying the specific vulnerable endpoints which are not detailed in available advisories. Monitor the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/ for vendor response and patch release notifications.

Share

CVE-2025-58207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy