CVE-2025-62747

Vulnerability

Overview

The Featured Image Generator plugin for WordPress, versions up to and including 1.3.4, suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, meaning that unauthenticated or low-privileged users can perform actions that should require higher privileges. This is a classic broken access control issue, where the code lacks a capability check or nonce validation before executing sensitive operations [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication. By sending crafted requests to the affected plugin endpoints, they can trigger functionality that should be restricted to administrators. The attack surface is broad because the plugin is widely used, and the vulnerability can be automated to target thousands of sites at once, making it suitable for mass-exploit campaigns [1].

Impact

Successful exploitation allows an attacker to bypass intended access restrictions, potentially leading to unauthorized generation of featured images, modification of plugin settings, or other actions that compromise the site's integrity. The CVSS score of 5.3 (Medium) reflects the moderate severity, but the ease of exploitation and potential for automated attacks increase the real-world risk [1].

Mitigation

The vendor has not released a patched version beyond 1.3.4, so users should immediately update the plugin to the latest available version. If an update is not possible, site owners should contact their hosting provider or a web developer to implement alternative security measures, such as web application firewall rules, to block malicious requests targeting this vulnerability [1].