Aum Watcharapon Featured Image Generator CVE-2025-62747
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Aum Watcharapon Featured Image Generator featured-image-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image Generator: from n/a through <= 1.3.4.
AnalysisAI
Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a root cause where the plugin fails to properly enforce access control restrictions on its functions or API endpoints. This is distinct from authentication flaws (who you are) versus authorization (what you can do). WordPress plugins rely on capability checks using functions like current_user_can() to verify that a user has permission to perform an action. The Featured Image Generator plugin does not appear to implement these checks correctly on one or more features, allowing attackers to manipulate or access image generation and management features regardless of their intended privilege level.
Affected ProductsAI
Aum Watcharapon Featured Image Generator WordPress plugin version 1.3.4 and all earlier versions are affected. The plugin is available via WordPress.org and the vulnerable range spans from the initial release through version 1.3.4. Further details are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/featured-image-generator/vulnerability/wordpress-featured-image-generator-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve.
RemediationAI
WordPress site administrators using Featured Image Generator should upgrade immediately to the first patched version released after 1.3.4; consult the plugin's official WordPress.org page or the Patchstack advisory for the exact patched version number and availability. In the interim, site administrators should restrict plugin access to trusted administrators only and review activity logs for any suspicious access to image generation features. The vulnerability is tracked by Patchstack, which provides additional detail at the reference URL above.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today