CVE-2026-24579

Vulnerability

Overview

The Ai Image Alt Text Generator for WP plugin by WP Messiah suffers from a missing authorization vulnerability (CWE-862) in versions up to and including 1.1.9. The plugin fails to properly configured access control security levels are not enforced, allowing exploitation of incorrectly configured access control mechanisms. This broken access control issue is categorized as a broken access control vulnerability, which typically involves missing authorization checks, authentication requirements, or nonce token validation [1].

Exploitation

Details

Attackers can exploit this vulnerability without requiring any prior authentication or elevated privileges. The broken access control allows unprivileged users to execute actions that should be restricted to higher-privileged roles. This type of vulnerability is commonly used in mass-exploited in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their traffic size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions within the WordPress installation, potentially leading to data exposure, content manipulation, or other unintended operations. The CVSS v3 base score of 4.3 (Medium) reflects the moderate severity of this issue, though the actual impact may vary depending on the specific misconfigured access controls [1].

Mitigation

The vendor has not released a patched version beyond 1.1.9 at the time of publication. Immediate action is recommended: update the plugin to the latest available version. If updating is not possible, users are unable to update, users should contact their hosting provider or web developer for assistance. The vulnerability is publicly documented and may be actively targeted in automated attacks [1].