What the vulnerability does
01Description
The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.
Explanation of Vulnerability in Simple Terms
02Summary
The Auto Featured Image plugin for WordPress does not properly check user permissions before allowing modifications to featured images. A logged-in user with low privileges can change featured images on posts they do not own, potentially altering site content without authorization. This affects all versions up to 4.2.1.
What an attacker can do
03Attacker Capabilities
Modify featured images on posts the attacker does not own or have permission to edit.
Potential impact on your site
04Site Impact
Unauthorized users can alter post thumbnails, potentially defacing content or disrupting site appearance without admin knowledge.
Conditions required to exploit
05Prerequisites
Attacker must have a WordPress user account with at least low-level privileges (e.g., Contributor or Author role).
Key dates
06Disclosure timeline
December 16, 2025
CVE published
April 8, 2026
Record updated