CVE-2026-3722
Description
Stored XSS in WordPress Auto Image Attributes plugin allows authenticated attackers to inject scripts via attachment metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress Auto Image Attributes plugin allows authenticated attackers to inject scripts via attachment metadata.
Vulnerability
The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress versions up to and including 4.9 is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability exists due to insufficient input sanitization and output escaping when processing attachment metadata.
Exploitation
An attacker with at least Author-level access can exploit this vulnerability by injecting arbitrary web scripts into attachment metadata. These scripts will execute when a user views a page containing the compromised attachment metadata.
Impact
Successful exploitation allows an attacker to execute arbitrary web scripts in the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious websites, depending on the injected script.
Mitigation
There is no specific mitigation or patched version mentioned in the provided references. Users are advised to monitor for updates from the plugin developer. As of the publication of this CVE, no workaround or fixed version has been disclosed in the available references.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.9
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- plugins.trac.wordpress.org/browser/auto-image-attributes-from-filename-with-bulk-updater/tags/4.9/admin/columns-media-library.phpnvd
- plugins.trac.wordpress.org/browser/auto-image-attributes-from-filename-with-bulk-updater/tags/4.9/admin/do.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9696fae6-39fe-4478-90e7-488b5b573fa8nvd
News mentions
0No linked articles in our index yet.