CVE-2025-12113
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtoffee | alt_text_generator | 1.8.4 |
| webtoffee | alt_text_generator | 1.8.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Alt Text Generator AI WordPress plugin (up to version 1.8.3) where a missing capability check in the atgai_delete_api_key() function allows authenticated users with Subscriber-level access or higher to delete the site's API key without proper authorization. [1]
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can delete the API key connected to the site, potentially disrupting functionality that depends on this key, leading to loss of service or unauthorized interference with the plugin's operations. [1]
What immediate steps should I take to mitigate this vulnerability?
Update the Alt Text Generator AI plugin to version 1.8.4 or later, as this version includes a security fix that patches the vulnerability allowing unauthorized deletion of the API key. Applying this update will mitigate the risk of exploitation. [1]