Skip to main content

Aum Watcharapon Featured Image Generator CVE-2025-62747

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Aum Watcharapon Featured Image Generator featured-image-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image Generator: from n/a through <= 1.3.4.

AnalysisAI

Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a root cause where the plugin fails to properly enforce access control restrictions on its functions or API endpoints. This is distinct from authentication flaws (who you are) versus authorization (what you can do). WordPress plugins rely on capability checks using functions like current_user_can() to verify that a user has permission to perform an action. The Featured Image Generator plugin does not appear to implement these checks correctly on one or more features, allowing attackers to manipulate or access image generation and management features regardless of their intended privilege level.

Affected ProductsAI

Aum Watcharapon Featured Image Generator WordPress plugin version 1.3.4 and all earlier versions are affected. The plugin is available via WordPress.org and the vulnerable range spans from the initial release through version 1.3.4. Further details are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/featured-image-generator/vulnerability/wordpress-featured-image-generator-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve.

RemediationAI

WordPress site administrators using Featured Image Generator should upgrade immediately to the first patched version released after 1.3.4; consult the plugin's official WordPress.org page or the Patchstack advisory for the exact patched version number and availability. In the interim, site administrators should restrict plugin access to trusted administrators only and review activity logs for any suspicious access to image generation features. The vulnerability is tracked by Patchstack, which provides additional detail at the reference URL above.

Share

CVE-2025-62747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy