What the vulnerability does
01Description
The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site.
Explanation of Vulnerability in Simple Terms
02Summary
The Alt Text Generator AI plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify alt text data they should not have access to. The vulnerability affects versions up to 1.8.3. An attacker with a basic user account can alter image metadata without proper permission checks, potentially corrupting or vandalizing site content.
What an attacker can do
03Attacker Capabilities
Modify alt text and image metadata for images they don't own or have permission to edit.
Potential impact on your site
04Site Impact
Unauthorized users can alter image alt text and metadata, risking content integrity and SEO damage.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., Contributor or Author role).
Key dates
06Disclosure timeline
November 12, 2025
CVE published
April 8, 2026
Record updated