CVE-2026-11997

Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage(), which dispatches to launchbulk() / BulkSeoImageGo() whenever the request contains $_POST['bulkseoimage']. No wp_nonce_field() is emitted in the form and no check_admin_referer()/wp_verify_nonce() is performed before bulk-overwriting the _wp_attachment_image_alt post meta for every image attached to every published post and/or page. This makes it possible for unauthenticated attackers to bulk-overwrite image ALT-text metadata across the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginbulk-seo-image
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-11997 (Bulk SEO Image CSRF) ## 1. Vulnerability Summary The **Bulk SEO Image** plugin (versions <= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The vulnerability exists because the plugin fails to implement nonce validation (via `wp_nonce_…

Show full research plan

Exploitation Research Plan: CVE-2026-11997 (Bulk SEO Image CSRF)

1. Vulnerability Summary

The Bulk SEO Image plugin (versions <= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The vulnerability exists because the plugin fails to implement nonce validation (via wp_nonce_field() or check_admin_referer()) in its primary administrative handler, BulkSeoImage(). This function triggers a bulk update of image ALT text metadata (_wp_attachment_image_alt) across the entire site by calling launchbulk() and BulkSeoImageGo() whenever a POST request contains the key bulkseoimage.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin.php?page=bulk-seo-image (inferred slug based on standard WordPress naming).
  • Hook: Likely admin_menu or admin_init registering the BulkSeoImage callback.
  • Vulnerable Parameter: $_POST['bulkseoimage'].
  • Authentication: Requires an authenticated administrator session.
  • Preconditions: The attacker must trick a logged-in administrator into visiting a malicious page or submitting a form that sends a POST request to the target site.

3. Code Flow

  1. Entry Point: An administrator accesses the plugin settings page (likely registered via add_options_page or add_menu_page with the callback BulkSeoImage).
  2. Logic Trigger: Inside BulkSeoImage(), the code checks if isset($_POST['bulkseoimage']).
  3. Vulnerable Dispatch: Because no check_admin_referer() check exists, the code proceeds to call launchbulk() or BulkSeoImageGo().
  4. The Sink: These functions query for all published posts and pages, identify attached images, and use update_post_meta($attachment_id, '_wp_attachment_image_alt', $new_alt_text) to overwrite the metadata for every image on the site.

4. Nonce Acquisition Strategy

According to the vulnerability description, the plugin does not emit a nonce field and does not verify one.

  • Nonce Requirement: None. The vulnerability specifically cites "missing or incorrect nonce validation."
  • Bypass: Simply omit any nonce parameters. If the plugin's code performs a logic check like if ( !wp_verify_nonce(...) ) but fails to exit/die, or if it is entirely absent, the request will proceed.

5. Exploitation Strategy

The goal is to trigger the bulk metadata overwrite via an unauthenticated external POST request (simulating a CSRF).

Step-by-Step Plan:

  1. Identify the exact POST parameters: Use browser_navigate to visit the settings page and inspect the HTML form to see what bulkseoimage value and accompanying settings (like ALT text patterns) are used.
  2. Craft the Payload: Create a POST request that mimics the legitimate form submission.
  3. Execute via HTTP Request: Use the http_request tool with the administrator's cookies to simulate the CSRF.

Exploit Payload (Conceptual):

URL: http://localhost:8080/wp-admin/admin.php?page=bulk-seo-image (inferred)
Method: POST
Headers: Content-Type: application/x-www-form-urlencoded
Body:

bulkseoimage=1&...[any other parameters found in the form]

6. Test Data Setup

To demonstrate the impact, the test environment must contain images with existing ALT text:

  1. Create Posts: Create 2-3 posts/pages with at least one image each.
    wp post create --post_type=post --post_title="Test Post 1" --post_status=publish
    
  2. Upload/Attach Images: Upload an image and attach it to the posts.
  3. Set Initial ALT Text: Manually set a known ALT text for these images.
    wp post meta update [ATTACHMENT_ID] _wp_attachment_image_alt "Original Alt Text"
    

7. Expected Results

  • The server should return a 302 Redirect or a 200 OK indicating the process has run.
  • The _wp_attachment_image_alt metadata for all images in the database should be modified according to the plugin's bulk processing logic (e.g., changed to match the post titles).

8. Verification Steps

After sending the POST request, verify the metadata change using WP-CLI:

# Get all image attachment IDs
ATTACHMENTS=$(wp post list --post_type=attachment --format=ids)

# Check the ALT text for each
for ID in $ATTACHMENTS; do
    echo "ID $ID Alt: $(wp post meta get $ID _wp_attachment_image_alt)"
done

If the ALT text no longer matches "Original Alt Text", the CSRF was successful.

9. Alternative Approaches

If the plugin uses a specific button name or additional hidden fields for the bulk action:

  1. Form Inspection: Use browser_eval("document.querySelector('form').innerHTML") on the settings page to find all input names.
  2. Direct Action: If BulkSeoImage() is hooked to admin_init rather than a menu callback, the request might need to be sent to wp-admin/admin-post.php with an action parameter. Verify the hook registration in the main plugin file.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bulk SEO Image plugin for WordPress (versions up to 1.1) is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows unauthenticated attackers to overwrite the '_wp_attachment_image_alt' metadata for all images on a site by tricking an administrator into visiting a malicious link.

Vulnerable Code

/* File: bulk-seo-image.php */
function BulkSeoImage() {
    // ... 
    if (isset($_POST['bulkseoimage'])) {
        launchbulk(); // or BulkSeoImageGo()
    }
    // ...
}

---

/* File: bulk-seo-image.php */
function launchbulk() {
    // ... logic iterating through posts/pages ...
    update_post_meta($attachment_id, '_wp_attachment_image_alt', $new_alt_text);
}

Security Fix

--- bulk-seo-image.php
+++ bulk-seo-image.php
@@ -2,6 +2,7 @@
 function BulkSeoImage() {
-    if (isset($_POST['bulkseoimage'])) {
+    if (isset($_POST['bulkseoimage'])) {
+        check_admin_referer('bulk_seo_image_action', 'bulk_seo_image_nonce');
         launchbulk();
     }
 }
@@ -10,4 +11,5 @@
 <form method="post">
+    <?php wp_nonce_field('bulk_seo_image_action', 'bulk_seo_image_nonce'); ?>
     <input type="submit" name="bulkseoimage" value="Update All Images">

Exploit Outline

The exploit targets the '/wp-admin/admin.php?page=bulk-seo-image' endpoint by crafting a POST request containing the 'bulkseoimage' parameter. Because the plugin does not implement nonce validation via check_admin_referer() or wp_verify_nonce(), an unauthenticated attacker can use a CSRF vector—such as a malicious website with an auto-submitting form—to trick an authenticated administrator into triggering the bulk metadata update function, overwriting image ALT text site-wide.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.