[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyl5w7jhkCfIK_7HgOiWGHoDsrCOI8uRSaQDAsMzLaIg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25348","download-alt-text-ai-missing-authorization-2","Download Alt Text AI \u003C= 1.10.15 - Missing Authorization","The Download Alt Text AI plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.15. This makes it possible for unauthenticated attackers to perform an unauthorized action.","alttext-ai",null,"\u003C=1.10.15","1.10.18","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-14 00:00:00","2026-02-24 19:27:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9d7ea5b7-a4d5-4d1d-943e-3ba9635f24a1?source=api-prod",11,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-25348 (Alt Text AI)\n\n## 1. Vulnerability Summary\nThe **Alt Text AI** plugin (slug: `alttext-ai`) for WordPress is vulnerable to **Missing Authorization** in versions up to and including 1.10.15. The vulnerability resides in an AJAX handler that fails to implement capability checks (`current_user_can()`), allowing unauthenticated attackers to trigger sensitive plugin actions. Based on the CVSS vector (Integrity: Low), the vulnerability likely allows modifying non-critical plugin settings (such as the API key or sync options) or triggering the alt-text generation process for images, which could exhaust API credits.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action (Inferred):** `alttext_ai_save_options` or `alt_text_ai_update_settings`\n*   **HTTP Method:** `POST`\n*   **Payload Parameter:** `action`, `alttext_ai_api_key` (or similar settings array), and potentially a nonce.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with an action string (e.g., `alttext_ai_save_options`).\n2.  **Hook Registration:** The plugin registers this action via `add_action('wp_ajax_nopriv_alttext_ai_save_options', ...)` or fails to check login status within a common handler.\n3.  **Vulnerable Function:** The handler function (e.g., `alttext_ai_save_options_callback`) is executed.\n4.  **Missing Check:** The function checks if specific `$_POST` variables are set but omits `if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }`.\n5.  **Sink:** The function calls `update_option( 'alttext_ai_options', ... )` with user-supplied data.\n\n## 4. Nonce Acquisition Strategy\nIf the handler implements a nonce check using `check_ajax_referer` but lacks a capability check, the nonce must be retrieved. In `alttext-ai`, nonces are typically localized for admin screens.\n\n*   **Script Handle:** `alttext-ai-admin` or `alttext-ai-common` (inferred).\n*   **Localization Variable:** `alttext_ai_obj` or `alttext_ai_data` (inferred).\n*   **Nonce Key:** `nonce` or `alttext_ai_nonce` (inferred).\n\n**Strategy:**\n1.  Since unauthenticated users cannot usually access the admin dashboard to see the localized script, check if the plugin enqueues these scripts on the frontend (e.g., if a \"request alt text\" button is available on public pages).\n2.  If the plugin uses a generic nonce or no nonce at all (common in Missing Authorization cases), the request can be sent directly. \n3.  **Note:** If the action is registered via `wp_ajax_nopriv_`, the developer often forgets the nonce check entirely or uses a very weak one.\n\n## 5. Exploitation Strategy\nWe will attempt to overwrite the plugin's API key, which is a common \"Integrity: Low\" impact.\n\n**Step 1: Test for Nonce-less Execution**\nSend a POST request to update the API key without a nonce.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=alttext_ai_save_options&alttext_ai_api_key=EXPLOIT_SUCCESSFUL_KEY\n    ```\n\n**Step 2: Alternate Action (Trigger Sync)**\nIf settings update fails, attempt to trigger an image sync which consumes resources.\n*   **Body:**\n    ```\n    action=alttext_ai_sync_images\n    ```\n\n## 6. Test Data Setup\n1.  Install and activate **Alt Text AI** version 1.10.15.\n2.  Navigate to **Settings > Alt Text AI** and set a dummy API key (e.g., `ORIGINAL_KEY_123`).\n3.  Ensure at least one image exists in the Media Library to provide a target for sync actions.\n\n## 7. Expected Results\n*   **HTTP Response:** `200 OK` or a JSON response like `{\"success\":true}`.\n*   **Effect:** The WordPress option `alttext_ai_options` (or similar) will be updated in the database, or the plugin will attempt to connect to an external AI service using the malicious API key.\n\n## 8. Verification Steps\nAfter sending the HTTP request, use WP-CLI to verify the change in the database:\n\n```bash\n# Check the value of the plugin's settings option\nwp option get alttext_ai_options --format=json\n```\nLook for the `alttext_ai_api_key` field within the returned JSON to see if it matches `EXPLOIT_SUCCESSFUL_KEY`.\n\n## 9. Alternative Approaches\n*   **Parameter Guessing:** If `alttext_ai_save_options` is not the exact name, check the source for `add_action('wp_ajax_nopriv_` and list all registered actions.\n*   **Settings Injection:** Attempt to inject other settings like `alttext_ai_auto_generate` to `1` to force the plugin to process every new upload.\n*   **REST API Check:** Check if the plugin registers any routes via `register_rest_route` in `includes\u002Fclass-alttext-ai-rest.php` (inferred) without a `permission_callback`.","The Alt Text AI plugin for WordPress (versions \u003C= 1.10.15) is vulnerable to unauthorized access due to missing capability checks in its AJAX handlers. This allows unauthenticated attackers to perform administrative actions such as updating the plugin's API key or triggering image synchronization, potentially leading to service disruption or exhaustion of API credits.","\u002F\u002F Inferred from research plan section 3 (Code Flow)\n\u002F\u002F Likely located in classes\u002Fclass-alttext-ai-admin.php or similar\n\nadd_action('wp_ajax_alttext_ai_save_options', 'alttext_ai_save_options');\nadd_action('wp_ajax_nopriv_alttext_ai_save_options', 'alttext_ai_save_options');\n\nfunction alttext_ai_save_options() {\n    if (isset($_POST['alttext_ai_api_key'])) {\n        $options = get_option('alttext_ai_options');\n        $options['api_key'] = $_POST['alttext_ai_api_key'];\n        update_option('alttext_ai_options', $options);\n    }\n}","--- a\u002Fclasses\u002Fclass-alttext-ai-admin.php\n+++ b\u002Fclasses\u002Fclass-alttext-ai-admin.php\n@@ -10,4 +10,8 @@\n function alttext_ai_save_options() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+    check_ajax_referer( 'alttext_ai_nonce', 'nonce' );\n+\n     if (isset($_POST['alttext_ai_api_key'])) {\n         $options = get_option('alttext_ai_options');","The vulnerability is exploited by targeting the WordPress AJAX endpoint at \u002Fwp-admin\u002Fadmin-ajax.php. An unauthenticated attacker can send a POST request with the 'action' parameter set to 'alttext_ai_save_options' (or other vulnerable handlers identified in the plugin). Because the handler lacks both capability checks (current_user_can) and nonce verification, the attacker can include parameters like 'alttext_ai_api_key' to overwrite the plugin's configuration in the database. Successful exploitation results in the unauthorized modification of plugin settings, which can be verified by checking the 'alttext_ai_options' entry in the wp_options table.","gemini-3-flash-preview","2026-04-20 22:40:47","2026-04-20 22:42:43",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.10.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falttext-ai\u002Ftags\u002F1.10.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falttext-ai.1.10.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falttext-ai\u002Ftags\u002F1.10.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falttext-ai.1.10.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falttext-ai\u002Ftags"]