CVE-2026-24535

Vulnerability

Overview

The Automatic Featured Images from Videos plugin for WordPress versions 1.2.7 and earlier contains a missing authorization vulnerability [1]. The plugin fails to properly verify access control levels, allowing exploitation of incorrectly configured access control security levels.

Exploitation

This broken access control issue means that an unprivileged user, or even an unauthenticated attacker, may be able to execute actions that should require higher privileges. The vulnerability is reportedly used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1]. No authentication is needed if the vulnerable function is exposed to unauthenticated users.

Impact

An attacker can exploit this vulnerability to perform unauthorized actions within the plugin's functionality, potentially leading to unauthorized modification of plugin settings or data. The official CVSS score of 4.3 indicates a medium severity with low likelyhood of exploitation according to the vendor [1].

Mitigation

The vulnerability has been patched in version 1.2.8 of the plugin. Users are strongly advised to update immediately. Those unable to update should seek assistance from their hosting provider or developer. Patchstack users can enable auto-updates for vulnerable plugins [1].