{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13794", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-30T12:22:33.208Z", "datePublished": "2025-12-16T05:25:19.785Z", "dateUpdated": "2026-04-08T16:43:21.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:21.304Z"}, "affected": [{"vendor": "themeisle", "product": "Auto Featured Image (Auto Post Thumbnail)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own."}], "title": "Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29b0fd97-a669-42bb-b01e-bdc0395d697e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-thumbnail/tags/4.2.1/includes/class-plugin.php#L425"}, {"url": "https://research.cleantalk.org/cve-2025-13794/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-11-19T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-30T12:38:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-15T16:51:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T17:38:10.133552Z", "id": "CVE-2025-13794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T17:41:43.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T17:38:10.133552Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T17:40:09.160Z"}}], "cna": {"title": "Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themeisle", "product": "Auto Featured Image (Auto Post Thumbnail)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-30T12:38:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-15T16:51:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29b0fd97-a669-42bb-b01e-bdc0395d697e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-thumbnail/tags/4.2.1/includes/class-plugin.php#L425"}, {"url": "https://research.cleantalk.org/cve-2025-13794/"}], "descriptions": [{"lang": "en", "value": "The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:21.304Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13794", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:21.304Z", "dateReserved": "2025-11-30T12:22:33.208Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-16T05:25:19.785Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own."}], "id": "CVE-2025-13794", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-16T06:15:42.407", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/auto-post-thumbnail/tags/4.2.1/includes/class-plugin.php#L425"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-13794/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29b0fd97-a669-42bb-b01e-bdc0395d697e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:06:33.623945+00:00", "value": {"mitigation_remediation": ["Upgrade the Auto Featured Image plugin to the latest version (\u2265\u202f4.2.2) or any version that includes a proper capability check for the bulk action handler.", "If an upgrade is not immediately possible, remove or disable the bulk_action_generate_handler functionality for Contributor and lower roles, or adjust WordPress role capabilities so that these users cannot execute bulk actions in the plugin.", "Verify that the plugin\u2019s code correctly checks for the necessary capabilitiy, such as 'edit_posts' or a custom capability, before performing delete or generate operations on featured images."], "summary": {"action": "Patch", "impact": "Unauthorized Post Thumbnail Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all released versions of the Auto Featured Image (Auto Post Thumbnail) plugin up to and including 4.2.1, released by ThemeIsle. WordPress sites that have installed this plugin and have users with Contributor or higher capabilities are potentially affected.", "description_and_impact": "The Auto Featured Image (Auto Post Thumbnail) WordPress plugin contains a missing capability check in the bulk_action_generate_handler function. This flaw allows an authenticated user with Contributor or higher privileges to delete or generate featured images on posts that they do not own, effectively enabling unauthorized modification of post thumbnails. The vulnerability is a classic missing authorization issue (CWE\u2011862) and could be used to deface a site\u2019s visual presentation or mislead visitors by altering featured media on content they have no right to modify. While it does not provide remote code execution or direct data exfiltration, it elevates a contributor\u2019s influence over the appearance of other users\u2019 posts.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and an EPSS score of less than 1% reflects a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress account with Contributor or higher access, so the attack vector is an authenticated web application action via the WordPress management interface. Users with the appropriate role can trigger the bulk action without additional credentials, making the vulnerability straightforward to exploit for those who already have contributor-level access."}}}}, "created": "2025-12-16T20:45:25.733395+00:00", "updated": "2026-04-22T16:15:21.789224+00:00", "vendors": ["themeisle", "themeisle$PRODUCT$auto_featured_image", "wordpress", "wordpress$PRODUCT$wordpress"]}