CVE-2025-12113
📋 TL;DR
This vulnerability in the Alt Text Generator AI WordPress plugin allows authenticated attackers with Subscriber-level access or higher to delete the API key connected to the site. The missing capability check in the atgai_delete_api_key() function enables unauthorized data deletion. All WordPress sites using this plugin up to version 1.8.3 are affected.
💻 Affected Systems
- Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers delete the API key, disrupting the plugin's functionality and requiring manual reconfiguration, potentially causing service disruption for image alt text generation.
Likely Case
Malicious users or compromised accounts delete the API key, causing temporary loss of alt text generation functionality until the key is restored.
If Mitigated
With proper access controls and monitoring, impact is limited to minor service disruption that can be quickly remediated.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Alt Text Generator AI' and click 'Update Now'. 4. Verify plugin version is 1.8.4 or higher.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily deactivate or remove the plugin until patched
wp plugin deactivate alt-text-generator
wp plugin delete alt-text-generator
Restrict user roles
allLimit Subscriber-level access or implement additional access controls
🧯 If You Can't Patch
- Deactivate the Alt Text Generator AI plugin immediately
- Implement strict access controls and monitor user activity for unauthorized API key deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Alt Text Generator AI → Version. If version is 1.8.3 or lower, you are vulnerable.Check Version:
wp plugin get alt-text-generator --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.8.4 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- WordPress audit logs showing API key deletion by non-admin users
- Plugin-specific logs showing API key removal
Network Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with action=atgai_delete_api_key from non-admin users
SIEM Query:
source="wordpress" AND (action="delete_api_key" OR uri="/wp-admin/admin-ajax.php") AND user_role!="administrator"