{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25348", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:42.958Z", "datePublished": "2026-02-19T08:26:58.744Z", "dateUpdated": "2026-04-28T16:14:56.364Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "alttext-ai", "product": "Download Alt Text AI", "vendor": "alttextai", "versions": [{"changes": [{"at": "1.10.18", "status": "unaffected"}], "lessThanOrEqual": "1.10.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:07.155Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Download Alt Text AI: from n/a through <= 1.10.15.</p>"}], "value": "Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Alt Text AI: from n/a through <= 1.10.15."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.364Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/alttext-ai/vulnerability/wordpress-download-alt-text-ai-plugin-1-10-15-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Download Alt Text AI plugin <= 1.10.15 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:12:58.873488Z", "id": "CVE-2026-25348", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:25:34.589Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:12:58.873488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:12:46.116Z"}}], "cna": {"title": "WordPress Download Alt Text AI plugin <= 1.10.15 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "alttextai", "product": "Download Alt Text AI", "versions": [{"status": "affected", "changes": [{"at": "1.10.18", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.10.15"}], "packageName": "alttext-ai", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:25:58.285Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/alttext-ai/vulnerability/wordpress-download-alt-text-ai-plugin-1-10-15-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Alt Text AI: from n/a through <= 1.10.15.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Download Alt Text AI: from n/a through <= 1.10.15.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:26:58.744Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25348", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:13:36.806Z", "dateReserved": "2026-02-02T12:52:42.958Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:58.744Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Alt Text AI: from n/a through <= 1.10.15."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en alttextai Download Alt Text AI alttext-ai permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Download Alt Text AI: desde n/a hasta &lt;= 1.10.15."}], "id": "CVE-2026-25348", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:18.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/alttext-ai/vulnerability/wordpress-download-alt-text-ai-plugin-1-10-15-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.10.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Download Alt Text AI", "source": "cna", "vendor": "alttextai"}, "product": "download_alt_text_ai", "vendor": "alttextai"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:25:57.166785+00:00", "value": {"mitigation_remediation": ["Update the Download Alt Text AI plugin to the latest version that includes the fix.", "Verify that only WordPress users with Administrator or equivalent roles can access the plugin\u2019s features and adjust the plugin\u2019s permission settings if necessary.", "If an update is not immediately available, disable or uninstall the plugin until a patched release is released."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The affected vendor is alttextai, and the product affected is the Download Alt Text AI plugin. All releases from the beginning of its history up to version\u202f1.10.15 are vulnerable. Users running any of these versions of the plugin on a WordPress installation are exposed to the access\u2011control issue until a fixed release is applied.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Download Alt Text AI WordPress plugin that allows exploiting incorrectly configured access control levels. This weakness permits unauthorized users to bypass normal privilege checks and potentially manipulate or retrieve alternative text information, leading to a disclosure or modification of content that should be restricted. The flaw is classified as CWE\u2011862 and results in an elevation of privileges for attackers who can interact with the plugin\u2019s interfaces.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate risk, and the EPSS of less than 1\u202f% suggests a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of active exploitation campaigns. An attacker could exploit the flaw by accessing the plugin\u2019s endpoints directly through a web browser or via automated scripts if the site allows unauthenticated or low\u2011privilege interaction with the plugin. No additional conditions or remote code execution capabilities are described, so the threat primarily remains an authorization bypass limited to the plugin\u2019s functions."}}}}, "created": "2026-02-20T10:08:48.760737+00:00", "updated": "2026-04-16T00:30:18.864211+00:00", "vendors": ["alttextai", "alttextai$PRODUCT$download_alt_text_ai", "wordpress", "wordpress$PRODUCT$wordpress"]}