{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12113", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T15:16:28.940Z", "datePublished": "2025-11-12T07:27:41.353Z", "dateUpdated": "2026-04-08T16:52:57.141Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:57.141Z"}, "affected": [{"vendor": "webtoffee", "product": "Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site."}], "title": "Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5309e891-ced1-496f-8ee5-c089a91a7666?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390619%40alt-text-generator&new=3390619%40alt-text-generator&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-10-29T20:45:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-11T19:11:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T14:20:55.444473Z", "id": "CVE-2025-12113", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:26:46.379Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12113", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T14:20:55.444473Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T14:20:56.109Z"}}], "cna": {"title": "Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webtoffee", "product": "Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-29T20:45:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-11T19:11:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5309e891-ced1-496f-8ee5-c089a91a7666?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390619%40alt-text-generator&new=3390619%40alt-text-generator&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:57.141Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12113", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:57.141Z", "dateReserved": "2025-10-23T15:16:28.940Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-12T07:27:41.353Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site."}], "id": "CVE-2025-12113", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-12T08:15:40.850", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390619%40alt-text-generator&new=3390619%40alt-text-generator&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5309e891-ced1-496f-8ee5-c089a91a7666?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:59:10.550466+00:00", "value": {"mitigation_remediation": ["Upgrade the Alt Text Generator AI plugin to the latest version (>=1.8.4) where the missing capability check has been added.", "If an upgrade is not immediately possible, revoke or regenerate the AI API key via the WordPress admin to prevent use of the existing key and monitor for further deletions.", "Restrict Subscriber or higher roles from accessing the atgai_delete_api_key endpoint by adjusting role capabilities or using a role\u2011based access control plugin."], "summary": {"action": "Patch Now", "impact": "Data Loss"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WebToffee Alt Text Generator AI \u2013 Auto Generate & Bulk Update Alt Texts For Images WordPress plugin. All releases up to, and including, 1.8.3 are impacted. The affected product is the plugin itself, and any WordPress installations that have this plugin installed at an affected version.", "description_and_impact": "The Alt Text Generator AI plugin for WordPress contains a missing capability check on the atgai_delete_api_key() function. This flaw allows any authenticated user with Subscriber-level access or higher to delete the API key associated with the site. Removing the key disables the plugin\u2019s AI assistance, causing a loss of service functionality and potentially exposing underlying data if the key was used for sensitive operations. The weakness is classified as CWE-862, a missing authorization vulnerability.", "risk_and_exploitability": "The CVSS v3.1 base score for this flaw is 4.3, indicating a medium risk from a technical standpoint. However, the EPSS score is below 1%, implying a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires that the attacker be authenticated with at least Subscriber-level privileges, the attack vector is internal. A legitimate subscriber could trigger the deletion endpoint to invalidate the AI key, disrupting workflow or potentially exposing private data if the key is used to interface with external services. The overall risk remains moderate due to the need for valid credentials and the low exploitation likelihood."}}}}, "created": "2025-11-12T22:16:17.674499+00:00", "updated": "2026-04-22T12:00:05.916417+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}