CVE-2025-62921

The Bulk Auto Image Title Attribute plugin for WordPress versions up to and including 2.0.1 suffers from a DOM-based Cross-site Scripting (XSS) vulnerability. The root cause is the improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page while being logged in as a privileged user. The attack is delivered through the vulnerable plugin's administrative interface, leveraging the lack of output encoding on certain parameters [1].

Successful exploitation allows an attacker to execute malicious scripts in the context of the victim's browser. This can be used to steal session cookies, redirect users to phishing sites, serve advertisements, or deface the website. While the CVSS score is 6.5 (Medium), the vulnerability is notable for being leveraged in mass exploit campaigns against thousands of WordPress sites regardless of their size [1].

Plugin users are strongly advised to update to the latest patched version immediately. For those unable to update, contacting the hosting provider or a web developer is recommended as a temporary workaround. No other mitigations are documented in the advisory [1].