CVE-2025-31611

CVE-2025-31611 is a Missing Authorization vulnerability in the WordPress plugin Auto Post After Image Upload, versions from n/a through 1.6. The vulnerability stems from incorrectly configured access control security levels, specifically missing authorization checks in certain functions [1]. This allows unprivileged users to execute actions that should require higher privileges.

The attack vector for this vulnerability involves exploiting the broken access control mechanisms without requiring authentication. An attacker can directly trigger privileged operations due to the lack of proper capability checks or nonce validation [1]. The attack surface is the WordPress admin area exposed by the plugin.

The impact of successful exploitation is that an attacker can perform actions that are normally restricted, leading to unauthorized changes within the WordPress installation. This could include creating posts or modifying content, bypassing the intended access restrictions [1].

As of the publication date, users are advised to update the plugin to a patched version if available. The vulnerability is known to be used in mass-exploit campaigns, so immediate action is recommended. If unable to update, consult with a hosting provider or web developer for mitigation [1].