CVE-2025-12113 MEDIUM

CVE-2025-12113: Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion

Vendor Webtoffee
Product Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images
Weakness CWE-862 · Missing authorization
Published November 12, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site.

Explanation of Vulnerability in Simple Terms

02Summary

The Alt Text Generator AI plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify alt text data they should not have access to. The vulnerability affects versions up to 1.8.3. An attacker with a basic user account can alter image metadata without proper permission checks, potentially corrupting or vandalizing site content.

What an attacker can do

03Attacker Capabilities

Modify alt text and image metadata for images they don't own or have permission to edit.

Potential impact on your site

04Site Impact

Unauthorized users can alter image alt text and metadata, risking content integrity and SEO damage.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., Contributor or Author role).

Key dates

06Disclosure timeline

November 12, 2025 CVE published
April 8, 2026 Record updated