CVE-2025-13794
Unauthorized Data Modification in Auto Featured Image WordPress Plugin
Publication date: 2025-12-16
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | auto_featured_image | 4.2.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Auto Featured Image (Auto Post Thumbnail) WordPress plugin allows authenticated users with Contributor-level access or higher to modify data without proper authorization. Specifically, due to a missing capability check in the bulk_action_generate_handler function, these users can delete or generate featured images on posts they do not own.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with Contributor-level access or above to manipulate featured images on posts they do not own. This unauthorized modification can lead to unwanted changes in your website's content presentation, potentially damaging the site's appearance or misleading users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Auto Featured Image (Auto Post Thumbnail) plugin to a version later than 4.2.1 where the missing capability check on the bulk_action_generate_handler function is fixed. Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability allows authenticated users with Contributor-level access to modify featured images on posts they do not own.