Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update
Description
The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage(), which dispatches to launchbulk() / BulkSeoImageGo() whenever the request contains $_POST['bulkseoimage']. No wp_nonce_field() is emitted in the form and no check_admin_referer()/wp_verify_nonce() is performed before bulk-overwriting the _wp_attachment_image_alt post meta for every image attached to every published post and/or page. This makes it possible for unauthenticated attackers to bulk-overwrite image ALT-text metadata across the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
# Exploitation Research Plan: CVE-2026-11997 (Bulk SEO Image CSRF) ## 1. Vulnerability Summary The **Bulk SEO Image** plugin (versions <= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The vulnerability exists because the plugin fails to implement nonce validation (via `wp_nonce_…
Show full research plan
Exploitation Research Plan: CVE-2026-11997 (Bulk SEO Image CSRF)
1. Vulnerability Summary
The Bulk SEO Image plugin (versions <= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The vulnerability exists because the plugin fails to implement nonce validation (via wp_nonce_field() or check_admin_referer()) in its primary administrative handler, BulkSeoImage(). This function triggers a bulk update of image ALT text metadata (_wp_attachment_image_alt) across the entire site by calling launchbulk() and BulkSeoImageGo() whenever a POST request contains the key bulkseoimage.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin.php?page=bulk-seo-image(inferred slug based on standard WordPress naming). - Hook: Likely
admin_menuoradmin_initregistering theBulkSeoImagecallback. - Vulnerable Parameter:
$_POST['bulkseoimage']. - Authentication: Requires an authenticated administrator session.
- Preconditions: The attacker must trick a logged-in administrator into visiting a malicious page or submitting a form that sends a POST request to the target site.
3. Code Flow
- Entry Point: An administrator accesses the plugin settings page (likely registered via
add_options_pageoradd_menu_pagewith the callbackBulkSeoImage). - Logic Trigger: Inside
BulkSeoImage(), the code checks ifisset($_POST['bulkseoimage']). - Vulnerable Dispatch: Because no
check_admin_referer()check exists, the code proceeds to calllaunchbulk()orBulkSeoImageGo(). - The Sink: These functions query for all published posts and pages, identify attached images, and use
update_post_meta($attachment_id, '_wp_attachment_image_alt', $new_alt_text)to overwrite the metadata for every image on the site.
4. Nonce Acquisition Strategy
According to the vulnerability description, the plugin does not emit a nonce field and does not verify one.
- Nonce Requirement: None. The vulnerability specifically cites "missing or incorrect nonce validation."
- Bypass: Simply omit any nonce parameters. If the plugin's code performs a logic check like
if ( !wp_verify_nonce(...) )but fails to exit/die, or if it is entirely absent, the request will proceed.
5. Exploitation Strategy
The goal is to trigger the bulk metadata overwrite via an unauthenticated external POST request (simulating a CSRF).
Step-by-Step Plan:
- Identify the exact POST parameters: Use
browser_navigateto visit the settings page and inspect the HTML form to see whatbulkseoimagevalue and accompanying settings (like ALT text patterns) are used. - Craft the Payload: Create a POST request that mimics the legitimate form submission.
- Execute via HTTP Request: Use the
http_requesttool with the administrator's cookies to simulate the CSRF.
Exploit Payload (Conceptual):
URL: http://localhost:8080/wp-admin/admin.php?page=bulk-seo-image (inferred)
Method: POST
Headers: Content-Type: application/x-www-form-urlencoded
Body:
bulkseoimage=1&...[any other parameters found in the form]
6. Test Data Setup
To demonstrate the impact, the test environment must contain images with existing ALT text:
- Create Posts: Create 2-3 posts/pages with at least one image each.
wp post create --post_type=post --post_title="Test Post 1" --post_status=publish - Upload/Attach Images: Upload an image and attach it to the posts.
- Set Initial ALT Text: Manually set a known ALT text for these images.
wp post meta update [ATTACHMENT_ID] _wp_attachment_image_alt "Original Alt Text"
7. Expected Results
- The server should return a
302 Redirector a200 OKindicating the process has run. - The
_wp_attachment_image_altmetadata for all images in the database should be modified according to the plugin's bulk processing logic (e.g., changed to match the post titles).
8. Verification Steps
After sending the POST request, verify the metadata change using WP-CLI:
# Get all image attachment IDs
ATTACHMENTS=$(wp post list --post_type=attachment --format=ids)
# Check the ALT text for each
for ID in $ATTACHMENTS; do
echo "ID $ID Alt: $(wp post meta get $ID _wp_attachment_image_alt)"
done
If the ALT text no longer matches "Original Alt Text", the CSRF was successful.
9. Alternative Approaches
If the plugin uses a specific button name or additional hidden fields for the bulk action:
- Form Inspection: Use
browser_eval("document.querySelector('form').innerHTML")on the settings page to find allinputnames. - Direct Action: If
BulkSeoImage()is hooked toadmin_initrather than a menu callback, the request might need to be sent towp-admin/admin-post.phpwith anactionparameter. Verify the hook registration in the main plugin file.
Summary
The Bulk SEO Image plugin for WordPress (versions up to 1.1) is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows unauthenticated attackers to overwrite the '_wp_attachment_image_alt' metadata for all images on a site by tricking an administrator into visiting a malicious link.
Vulnerable Code
/* File: bulk-seo-image.php */ function BulkSeoImage() { // ... if (isset($_POST['bulkseoimage'])) { launchbulk(); // or BulkSeoImageGo() } // ... } --- /* File: bulk-seo-image.php */ function launchbulk() { // ... logic iterating through posts/pages ... update_post_meta($attachment_id, '_wp_attachment_image_alt', $new_alt_text); }
Security Fix
@@ -2,6 +2,7 @@ function BulkSeoImage() { - if (isset($_POST['bulkseoimage'])) { + if (isset($_POST['bulkseoimage'])) { + check_admin_referer('bulk_seo_image_action', 'bulk_seo_image_nonce'); launchbulk(); } } @@ -10,4 +11,5 @@ <form method="post"> + <?php wp_nonce_field('bulk_seo_image_action', 'bulk_seo_image_nonce'); ?> <input type="submit" name="bulkseoimage" value="Update All Images">
Exploit Outline
The exploit targets the '/wp-admin/admin.php?page=bulk-seo-image' endpoint by crafting a POST request containing the 'bulkseoimage' parameter. Because the plugin does not implement nonce validation via check_admin_referer() or wp_verify_nonce(), an unauthenticated attacker can use a CSRF vector—such as a malicious website with an auto-submitting form—to trick an authenticated administrator into triggering the bulk metadata update function, overwriting image ALT text site-wide.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.