CVE-2025-62747
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Aum Watcharapon Featured Image Generator featured-image-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image Generator: from n/a through <= 1.3.4.
Analysis
Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.
Technical Context
The vulnerability stems from CWE-862 (Missing Authorization), a root cause where the plugin fails to properly enforce access control restrictions on its functions or API endpoints. This is distinct from authentication flaws (who you are) versus authorization (what you can do). WordPress plugins rely on capability checks using functions like current_user_can() to verify that a user has permission to perform an action. The Featured Image Generator plugin does not appear to implement these checks correctly on one or more features, allowing attackers to manipulate or access image generation and management features regardless of their intended privilege level.
Affected Products
Aum Watcharapon Featured Image Generator WordPress plugin version 1.3.4 and all earlier versions are affected. The plugin is available via WordPress.org and the vulnerable range spans from the initial release through version 1.3.4. Further details are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/featured-image-generator/vulnerability/wordpress-featured-image-generator-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve.
Remediation
WordPress site administrators using Featured Image Generator should upgrade immediately to the first patched version released after 1.3.4; consult the plugin's official WordPress.org page or the Patchstack advisory for the exact patched version number and availability. In the interim, site administrators should restrict plugin access to trusted administrators only and review activity logs for any suspicious access to image generation features. The vulnerability is tracked by Patchstack, which provides additional detail at the reference URL above.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today