CVE-2025-13794

Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.2.2
Patched in
58d
Time to patch

Description

The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.1
PublishedDecember 15, 2025
Last updatedFebruary 11, 2026
Affected pluginauto-post-thumbnail

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the research and exploitation strategy for **CVE-2025-13794**, a missing authorization vulnerability in the **Auto Featured Image** plugin. ### 1. Vulnerability Summary The `Auto Featured Image` plugin provides a bulk action to generate or delete featured images for posts. The fu…

Show full research plan

This plan outlines the research and exploitation strategy for CVE-2025-13794, a missing authorization vulnerability in the Auto Featured Image plugin.

1. Vulnerability Summary

The Auto Featured Image plugin provides a bulk action to generate or delete featured images for posts. The function responsible for handling these bulk actions, bulk_action_generate_handler, fails to perform a capability check (e.g., current_user_can( 'edit_others_posts' )). While the bulk action UI is intended for administrators, the underlying handler is accessible to any authenticated user with access to the WordPress dashboard, specifically Contributors and above. This allows a Contributor to trigger featured image generation or deletion for posts they do not own, which they normally cannot modify.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/edit.php (Standard WordPress bulk action handler).
  • Action Name: Likely generate_auto_post_thumbnail or delete_auto_post_thumbnail (to be confirmed in source).
  • Vulnerable Function: bulk_action_generate_handler.
  • Authentication: Contributor-level session required.
  • Parameters:
    • post[]: Array of Post IDs to target.
    • action or action2: The specific bulk action string.
    • _wpnonce: The bulk action nonce from the edit.php page.
  • Preconditions: A target post must exist that is NOT owned by the attacker (e.g., an Admin's post).

3. Code Flow

  1. Registration: The plugin likely hooks into handle_bulk_actions-edit-post (or similar) to register bulk_action_generate_handler.
  2. Trigger: When a user selects a bulk action from the dropdown on the Posts list and clicks "Apply", WordPress sends a POST or GET request to edit.php.
  3. Vulnerability: The bulk_action_generate_handler function is invoked. It likely checks for a nonce but fails to check if the current_user_can('edit_post', $post_id) or has general edit_others_posts permissions.
  4. Sink: The function iterates through the post[] array and calls set_post_thumbnail() or delete_post_meta($id, '_thumbnail_id').

4. Nonce Acquisition Strategy

Since the vulnerability involves a WordPress Admin bulk action, it likely requires the bulk-posts nonce.

  1. Login as Contributor: Establish a session using Contributor credentials.
  2. Navigate to Posts List: Use browser_navigate to go to /wp-admin/edit.php.
  3. Extract Nonce: The nonce is stored in a hidden input field within the posts-filter form.
    • JS Execution: browser_eval("document.querySelector('#_wpnonce')?.value")
  4. Identify Action String: Inspect the bulk action dropdown to find the value of the "Generate Featured Images" option.
    • JS Execution: browser_eval("document.querySelector('select[name=\"action\"] option[value*=\"thumbnail\"]')?.value")

5. Exploitation Strategy

  1. Identify Target: Find a Post ID owned by an Administrator that has a featured image.
  2. Capture Nonce: As the Contributor, extract the _wpnonce from the edit.php page.
  3. Construct Exploit Request:
    • URL: http://localhost:8080/wp-admin/edit.php
    • Method: POST (or GET if the plugin uses it, but POST is standard for bulk actions).
    • Body (URL-encoded):
      action=[EXTRACTED_ACTION_NAME]&post[]=[TARGET_POST_ID]&_wpnonce=[EXTRACTED_NONCE]&action2=-1
      
    • Headers: Include Content-Type: application/x-www-form-urlencoded and the Contributor's Cookie.
  4. Execute: Use http_request.

6. Test Data Setup

  1. Admin User: Default admin.
  2. Target Post: Create a post as Admin and set a featured image.
    • wp post create --post_title="Admin Secret Post" --post_status=publish --post_author=1
    • wp media import /path/to/image.jpg --post_id=[ID] --featured_image
  3. Contributor User: Create a user with the contributor role.
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password123

7. Expected Results

  • Response: A 302 Redirect back to edit.php with a success message (e.g., ?bulk_action_done=...).
  • Database Change: The _thumbnail_id meta key for the Admin's post should be either removed (if using the "Delete" action) or updated to a new attachment ID (if using "Generate").

8. Verification Steps

  1. Before Exploit: Check the featured image ID for the Admin post.
    • wp post meta get [TARGET_POST_ID] _thumbnail_id
  2. After Exploit: Check the same meta key.
    • If it was a "Delete" action: The command should return an error or empty.
    • If it was a "Generate" action: The ID should have changed or been created if it was missing.
  3. Access Verification: Confirm that the Contributor user cannot normally edit this post via the UI or REST API.

9. Alternative Approaches

  • Check admin-ajax.php: Some plugins implement bulk actions via AJAX if they use a custom UI. Search for wp_ajax_ hooks related to "thumbnail" or "generate".
  • Direct Post Meta Modification: Check if the plugin uses a specific admin_init or admin_post hook instead of the standard bulk action filter.
  • Identify Action Names: If the edit.php dropdown doesn't show the action, grep the source for add_filter( 'bulk_actions-edit-post', ... ) to see the internal identifier.

Source Code Analysis (Specific Identifiers to verify):

  • Search for: public function bulk_action_generate_handler in includes/ or admin/ folders.
  • Check Hook: add_filter( 'handle_bulk_actions-edit-post', array( $this, 'bulk_action_generate_handler' ), 10, 3 );
  • Check Nonce Action: In bulk_action_generate_handler, look for check_admin_referer or wp_verify_nonce. If it's missing, the exploit is even easier. If it's present, verify it uses the standard bulk-posts action.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Auto Featured Image plugin for WordPress (versions up to 4.2.1) lacks a capability check in its bulk action handler, allowing authenticated users with Contributor-level access to modify featured images on any post. By submitting a crafted bulk action request, an attacker can trigger the generation or deletion of thumbnails for posts they do not have permissions to edit.

Exploit Outline

To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level privileges. The attacker first navigates to the WordPress Posts dashboard (/wp-admin/edit.php) to extract a valid '_wpnonce' from the post-filter form. They then identify the specific bulk action name used by the plugin (e.g., 'generate_auto_post_thumbnail' or 'delete_auto_post_thumbnail'). Finally, the attacker sends a POST request to '/wp-admin/edit.php' including the extracted nonce, the targeted Post IDs in the 'post[]' array, and the desired action. Because the 'bulk_action_generate_handler' function fails to verify permissions for each post, the plugin will process the request for posts owned by other users (such as Administrators).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.