What the vulnerability does
01Description
Missing Authorization vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Featured Image: from n/a through <= 1.2.4.
Explanation of Vulnerability in Simple Terms
02Summary
Bulk Featured Image versions 1.2.4 and earlier lack proper authorization checks, allowing authenticated users with low privileges to trigger a denial-of-service condition. An attacker can make repeated requests to exhaust server resources or disrupt site availability. The vulnerability requires a valid user account but no special permissions.
What an attacker can do
03Attacker Capabilities
Disrupt site availability by triggering resource exhaustion or service degradation.
Potential impact on your site
04Site Impact
Site may become slow or unresponsive if an authenticated user exploits this flaw repeatedly.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 7, 2025
CVE published
April 28, 2026
Record updated