Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification
Description
The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.2.1Source Code
WordPress.org SVNThis plan outlines the research and exploitation strategy for **CVE-2025-13794**, a missing authorization vulnerability in the **Auto Featured Image** plugin. ### 1. Vulnerability Summary The `Auto Featured Image` plugin provides a bulk action to generate or delete featured images for posts. The fu…
Show full research plan
This plan outlines the research and exploitation strategy for CVE-2025-13794, a missing authorization vulnerability in the Auto Featured Image plugin.
1. Vulnerability Summary
The Auto Featured Image plugin provides a bulk action to generate or delete featured images for posts. The function responsible for handling these bulk actions, bulk_action_generate_handler, fails to perform a capability check (e.g., current_user_can( 'edit_others_posts' )). While the bulk action UI is intended for administrators, the underlying handler is accessible to any authenticated user with access to the WordPress dashboard, specifically Contributors and above. This allows a Contributor to trigger featured image generation or deletion for posts they do not own, which they normally cannot modify.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/edit.php(Standard WordPress bulk action handler). - Action Name: Likely
generate_auto_post_thumbnailordelete_auto_post_thumbnail(to be confirmed in source). - Vulnerable Function:
bulk_action_generate_handler. - Authentication: Contributor-level session required.
- Parameters:
post[]: Array of Post IDs to target.actionoraction2: The specific bulk action string._wpnonce: The bulk action nonce from theedit.phppage.
- Preconditions: A target post must exist that is NOT owned by the attacker (e.g., an Admin's post).
3. Code Flow
- Registration: The plugin likely hooks into
handle_bulk_actions-edit-post(or similar) to registerbulk_action_generate_handler. - Trigger: When a user selects a bulk action from the dropdown on the Posts list and clicks "Apply", WordPress sends a
POSTorGETrequest toedit.php. - Vulnerability: The
bulk_action_generate_handlerfunction is invoked. It likely checks for a nonce but fails to check if thecurrent_user_can('edit_post', $post_id)or has generaledit_others_postspermissions. - Sink: The function iterates through the
post[]array and callsset_post_thumbnail()ordelete_post_meta($id, '_thumbnail_id').
4. Nonce Acquisition Strategy
Since the vulnerability involves a WordPress Admin bulk action, it likely requires the bulk-posts nonce.
- Login as Contributor: Establish a session using Contributor credentials.
- Navigate to Posts List: Use
browser_navigateto go to/wp-admin/edit.php. - Extract Nonce: The nonce is stored in a hidden input field within the
posts-filterform.- JS Execution:
browser_eval("document.querySelector('#_wpnonce')?.value")
- JS Execution:
- Identify Action String: Inspect the bulk action dropdown to find the value of the "Generate Featured Images" option.
- JS Execution:
browser_eval("document.querySelector('select[name=\"action\"] option[value*=\"thumbnail\"]')?.value")
- JS Execution:
5. Exploitation Strategy
- Identify Target: Find a Post ID owned by an Administrator that has a featured image.
- Capture Nonce: As the Contributor, extract the
_wpnoncefrom theedit.phppage. - Construct Exploit Request:
- URL:
http://localhost:8080/wp-admin/edit.php - Method:
POST(orGETif the plugin uses it, butPOSTis standard for bulk actions). - Body (URL-encoded):
action=[EXTRACTED_ACTION_NAME]&post[]=[TARGET_POST_ID]&_wpnonce=[EXTRACTED_NONCE]&action2=-1 - Headers: Include
Content-Type: application/x-www-form-urlencodedand the Contributor'sCookie.
- URL:
- Execute: Use
http_request.
6. Test Data Setup
- Admin User: Default admin.
- Target Post: Create a post as Admin and set a featured image.
wp post create --post_title="Admin Secret Post" --post_status=publish --post_author=1wp media import /path/to/image.jpg --post_id=[ID] --featured_image
- Contributor User: Create a user with the
contributorrole.wp user create attacker attacker@example.com --role=contributor --user_pass=password123
7. Expected Results
- Response: A
302 Redirectback toedit.phpwith a success message (e.g.,?bulk_action_done=...). - Database Change: The
_thumbnail_idmeta key for the Admin's post should be either removed (if using the "Delete" action) or updated to a new attachment ID (if using "Generate").
8. Verification Steps
- Before Exploit: Check the featured image ID for the Admin post.
wp post meta get [TARGET_POST_ID] _thumbnail_id
- After Exploit: Check the same meta key.
- If it was a "Delete" action: The command should return an error or empty.
- If it was a "Generate" action: The ID should have changed or been created if it was missing.
- Access Verification: Confirm that the Contributor user cannot normally edit this post via the UI or REST API.
9. Alternative Approaches
- Check
admin-ajax.php: Some plugins implement bulk actions via AJAX if they use a custom UI. Search forwp_ajax_hooks related to "thumbnail" or "generate". - Direct Post Meta Modification: Check if the plugin uses a specific
admin_initoradmin_posthook instead of the standard bulk action filter. - Identify Action Names: If the
edit.phpdropdown doesn't show the action, grep the source foradd_filter( 'bulk_actions-edit-post', ... )to see the internal identifier.
Source Code Analysis (Specific Identifiers to verify):
- Search for:
public function bulk_action_generate_handlerinincludes/oradmin/folders. - Check Hook:
add_filter( 'handle_bulk_actions-edit-post', array( $this, 'bulk_action_generate_handler' ), 10, 3 ); - Check Nonce Action: In
bulk_action_generate_handler, look forcheck_admin_refererorwp_verify_nonce. If it's missing, the exploit is even easier. If it's present, verify it uses the standardbulk-postsaction.
Summary
The Auto Featured Image plugin for WordPress (versions up to 4.2.1) lacks a capability check in its bulk action handler, allowing authenticated users with Contributor-level access to modify featured images on any post. By submitting a crafted bulk action request, an attacker can trigger the generation or deletion of thumbnails for posts they do not have permissions to edit.
Exploit Outline
To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level privileges. The attacker first navigates to the WordPress Posts dashboard (/wp-admin/edit.php) to extract a valid '_wpnonce' from the post-filter form. They then identify the specific bulk action name used by the plugin (e.g., 'generate_auto_post_thumbnail' or 'delete_auto_post_thumbnail'). Finally, the attacker sends a POST request to '/wp-admin/edit.php' including the extracted nonce, the targeted Post IDs in the 'post[]' array, and the desired action. Because the 'bulk_action_generate_handler' function fails to verify permissions for each post, the plugin will process the request for posts owned by other users (such as Administrators).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.