CVE-2026-24535
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the WordPress Automatic Featured Images from Videos plugin. It allows attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized actions. All WordPress sites using this plugin version 1.2.7 or earlier are affected.
💻 Affected Systems
- WordPress Automatic Featured Images from Videos plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify plugin settings, upload malicious files, or manipulate featured images across the entire WordPress site.
Likely Case
Unauthorized users could change plugin configurations or upload inappropriate featured images to posts.
If Mitigated
With proper access controls and authentication requirements, impact would be limited to authorized users only.
🎯 Exploit Status
Exploitation requires understanding of WordPress plugin structure but no special tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >1.2.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Automatic Featured Images from Videos'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate automatic-featured-images-from-videos
Access Restriction via .htaccess
linuxRestrict access to plugin directories
# Add to .htaccess in wp-content/plugins/automatic-featured-images-from-videos/
Order Deny,Allow
Deny from all
🧯 If You Can't Patch
- Deactivate the Automatic Featured Images from Videos plugin immediately
- Implement strict access controls and monitor for unauthorized plugin configuration changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Automatic Featured Images from Videos. If version is 1.2.7 or earlier, you are vulnerable.Check Version:
wp plugin get automatic-featured-images-from-videos --field=versionVerify Fix Applied:
After update, verify plugin version is greater than 1.2.7. Test plugin functionality with non-admin users to ensure proper authorization.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to plugin admin endpoints
- Plugin configuration changes from non-admin users
- Failed authorization attempts on plugin pages
Network Indicators:
- HTTP requests to /wp-admin/admin.php?page=automatic-featured-images-from-videos from unauthorized IPs
SIEM Query:
source="wordpress.log" AND ("automatic-featured-images-from-videos" OR "plugin settings") AND user_role!="administrator"