CVE-2025-13794

The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress, in all versions up to and including 4.2.1, contains a missing authorization vulnerability (CWE-862) in the bulk_action_generate_handler function. This function performs bulk operations on post thumbnails without verifying that the current user has the capability to edit the specific posts being targeted. The plugin relies on a user's role level (Contributor or above) rather than enforcing WordPress's object-level access control, which normally checks if the user can edit each individual post [1].

An authenticated attacker with at least Contributor-level access can exploit this flaw by sending a crafted request to the vulnerable handler. The attack requires no special privileges beyond a standard Contributor account and can be executed from the Posts list screen in the WordPress admin area. The researcher Dmitrii Ignatyev published a proof-of-concept demonstrating the exploitation [1].

Successful exploitation allows the attacker to delete or generate featured images on posts they do not own. This enables cross-user content tampering, potentially disrupting editorial workflows on multi-author sites, altering the appearance of published content, or causing data loss for other users. The impact is limited to thumbnail modification of data without proper authorization [1].

As of the publication date, the vendor has been contacted and a fix is expected. No evidence of active exploitation in the wild has been reported, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEVulnerabilities (KEV catalog. Users are advised to update the plugin once a patched version is released or to restrict Contributor-level access if the plugin is essential [1].