[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-OS_cqw8J_VYEl8TS8L-Lvbzc18LVryRkSZ-nOqTuSM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-11997","bulk-seo-image-cross-site-request-forgery-to-settings-update","Bulk SEO Image \u003C= 1.1 - Cross-Site Request Forgery to Settings Update","The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage(), which dispatches to launchbulk() \u002F BulkSeoImageGo() whenever the request contains $_POST['bulkseoimage']. No wp_nonce_field() is emitted in the form and no check_admin_referer()\u002Fwp_verify_nonce() is performed before bulk-overwriting the _wp_attachment_image_alt post meta for every image attached to every published post and\u002For page. This makes it possible for unauthenticated attackers to bulk-overwrite image ALT-text metadata across the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","bulk-seo-image",null,"\u003C=1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-23 16:41:29","2026-06-24 05:33:33",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef176a6c-33d1-45d6-8a1d-3df1e8eb2170?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-11997 (Bulk SEO Image CSRF)\n\n## 1. Vulnerability Summary\nThe **Bulk SEO Image** plugin (versions \u003C= 1.1) is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The vulnerability exists because the plugin fails to implement nonce validation (via `wp_nonce_field()` or `check_admin_referer()`) in its primary administrative handler, `BulkSeoImage()`. This function triggers a bulk update of image ALT text metadata (`_wp_attachment_image_alt`) across the entire site by calling `launchbulk()` and `BulkSeoImageGo()` whenever a POST request contains the key `bulkseoimage`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin.php?page=bulk-seo-image` (inferred slug based on standard WordPress naming).\n- **Hook:** Likely `admin_menu` or `admin_init` registering the `BulkSeoImage` callback.\n- **Vulnerable Parameter:** `$_POST['bulkseoimage']`.\n- **Authentication:** Requires an authenticated administrator session.\n- **Preconditions:** The attacker must trick a logged-in administrator into visiting a malicious page or submitting a form that sends a POST request to the target site.\n\n## 3. Code Flow\n1. **Entry Point:** An administrator accesses the plugin settings page (likely registered via `add_options_page` or `add_menu_page` with the callback `BulkSeoImage`).\n2. **Logic Trigger:** Inside `BulkSeoImage()`, the code checks if `isset($_POST['bulkseoimage'])`.\n3. **Vulnerable Dispatch:** Because no `check_admin_referer()` check exists, the code proceeds to call `launchbulk()` or `BulkSeoImageGo()`.\n4. **The Sink:** These functions query for all published posts and pages, identify attached images, and use `update_post_meta($attachment_id, '_wp_attachment_image_alt', $new_alt_text)` to overwrite the metadata for every image on the site.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the plugin **does not emit a nonce field** and **does not verify one**.\n- **Nonce Requirement:** None. The vulnerability specifically cites \"missing or incorrect nonce validation.\"\n- **Bypass:** Simply omit any nonce parameters. If the plugin's code performs a logic check like `if ( !wp_verify_nonce(...) )` but fails to exit\u002Fdie, or if it is entirely absent, the request will proceed.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the bulk metadata overwrite via an unauthenticated external POST request (simulating a CSRF).\n\n### Step-by-Step Plan:\n1. **Identify the exact POST parameters:** Use `browser_navigate` to visit the settings page and inspect the HTML form to see what `bulkseoimage` value and accompanying settings (like ALT text patterns) are used.\n2. **Craft the Payload:** Create a POST request that mimics the legitimate form submission.\n3. **Execute via HTTP Request:** Use the `http_request` tool with the administrator's cookies to simulate the CSRF.\n\n### Exploit Payload (Conceptual):\n**URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=bulk-seo-image` (inferred)\n**Method:** `POST`\n**Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n**Body:**\n```text\nbulkseoimage=1&...[any other parameters found in the form]\n```\n\n## 6. Test Data Setup\nTo demonstrate the impact, the test environment must contain images with existing ALT text:\n1. **Create Posts:** Create 2-3 posts\u002Fpages with at least one image each.\n   ```bash\n   wp post create --post_type=post --post_title=\"Test Post 1\" --post_status=publish\n   ```\n2. **Upload\u002FAttach Images:** Upload an image and attach it to the posts.\n3. **Set Initial ALT Text:** Manually set a known ALT text for these images.\n   ```bash\n   wp post meta update [ATTACHMENT_ID] _wp_attachment_image_alt \"Original Alt Text\"\n   ```\n\n## 7. Expected Results\n- The server should return a `302 Redirect` or a `200 OK` indicating the process has run.\n- The `_wp_attachment_image_alt` metadata for all images in the database should be modified according to the plugin's bulk processing logic (e.g., changed to match the post titles).\n\n## 8. Verification Steps\nAfter sending the POST request, verify the metadata change using WP-CLI:\n```bash\n# Get all image attachment IDs\nATTACHMENTS=$(wp post list --post_type=attachment --format=ids)\n\n# Check the ALT text for each\nfor ID in $ATTACHMENTS; do\n    echo \"ID $ID Alt: $(wp post meta get $ID _wp_attachment_image_alt)\"\ndone\n```\nIf the ALT text no longer matches \"Original Alt Text\", the CSRF was successful.\n\n## 9. Alternative Approaches\nIf the plugin uses a specific button name or additional hidden fields for the bulk action:\n1. **Form Inspection:** Use `browser_eval(\"document.querySelector('form').innerHTML\")` on the settings page to find all `input` names.\n2. **Direct Action:** If `BulkSeoImage()` is hooked to `admin_init` rather than a menu callback, the request might need to be sent to `wp-admin\u002Fadmin-post.php` with an `action` parameter. Verify the hook registration in the main plugin file.","The Bulk SEO Image plugin for WordPress (versions up to 1.1) is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows unauthenticated attackers to overwrite the '_wp_attachment_image_alt' metadata for all images on a site by tricking an administrator into visiting a malicious link.","\u002F* File: bulk-seo-image.php *\u002F\nfunction BulkSeoImage() {\n    \u002F\u002F ... \n    if (isset($_POST['bulkseoimage'])) {\n        launchbulk(); \u002F\u002F or BulkSeoImageGo()\n    }\n    \u002F\u002F ...\n}\n\n---\n\n\u002F* File: bulk-seo-image.php *\u002F\nfunction launchbulk() {\n    \u002F\u002F ... logic iterating through posts\u002Fpages ...\n    update_post_meta($attachment_id, '_wp_attachment_image_alt', $new_alt_text);\n}","--- bulk-seo-image.php\n+++ bulk-seo-image.php\n@@ -2,6 +2,7 @@\n function BulkSeoImage() {\n-    if (isset($_POST['bulkseoimage'])) {\n+    if (isset($_POST['bulkseoimage'])) {\n+        check_admin_referer('bulk_seo_image_action', 'bulk_seo_image_nonce');\n         launchbulk();\n     }\n }\n@@ -10,4 +11,5 @@\n \u003Cform method=\"post\">\n+    \u003C?php wp_nonce_field('bulk_seo_image_action', 'bulk_seo_image_nonce'); ?>\n     \u003Cinput type=\"submit\" name=\"bulkseoimage\" value=\"Update All Images\">","The exploit targets the '\u002Fwp-admin\u002Fadmin.php?page=bulk-seo-image' endpoint by crafting a POST request containing the 'bulkseoimage' parameter. Because the plugin does not implement nonce validation via check_admin_referer() or wp_verify_nonce(), an unauthenticated attacker can use a CSRF vector—such as a malicious website with an auto-submitting form—to trick an authenticated administrator into triggering the bulk metadata update function, overwriting image ALT text site-wide.","gemini-3-flash-preview","2026-06-25 19:15:51","2026-06-25 19:16:25",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbulk-seo-image\u002Ftags"]