Skip to main content

Bulk SEO Image CVE-2026-11997

| EUVDEUVD-2026-38688 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 Wordfence GHSA-pphr-r45w-j4jp
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Attacker needs no privileges (PR:N); admin must actively visit malicious page (UI:R); impact is integrity-only ALT-text overwrite with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:04 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage(), which dispatches to launchbulk() / BulkSeoImageGo() whenever the request contains $_POST['bulkseoimage']. No wp_nonce_field() is emitted in the form and no check_admin_referer()/wp_verify_nonce() is performed before bulk-overwriting the _wp_attachment_image_alt post meta for every image attached to every published post and/or page. This makes it possible for unauthenticated attackers to bulk-overwrite image ALT-text metadata across the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the Bulk SEO Image WordPress plugin (versions ≤ 1.1) enables unauthenticated attackers to bulk-overwrite every image ALT-text attribute across all published posts and pages on a target site by tricking an authenticated administrator into visiting a malicious page. The plugin's core handler BulkSeoImage() dispatches to launchbulk() and BulkSeoImageGo() whenever a POST request includes the 'bulkseoimage' parameter, with no wp_nonce_field() emitted in the form and no check_admin_referer() or wp_verify_nonce() call gating execution - confirmed by direct source code review at the plugin's Trac repository. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft hidden auto-submit POST form
Delivery
Host form on attacker-controlled page
Exploit
Deliver phishing link to WordPress admin
Execution
Admin browser submits forged request while authenticated
Persist
Plugin dispatches BulkSeoImage() without nonce verification
Impact
Bulk-overwrite ALT-text metadata across all site images

Vulnerability AssessmentAI

Exploitation The Bulk SEO Image plugin (version ≤ 1.1) must be installed and activated on the target WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) accurately reflects a constrained but real integrity risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a webpage containing a hidden HTML form that auto-submits a POST request to the target WordPress site's admin handler with the 'bulkseoimage' parameter set to a desired value. The attacker delivers a phishing email or malicious link to a WordPress administrator who is currently logged into the site; upon visiting the page, the administrator's browser automatically fires the cross-origin POST in the context of their active authenticated session, causing the plugin to bulk-overwrite ALT-text metadata on every image across all published posts and pages without any visible indication to the administrator.
Remediation No vendor-released patched version has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy