Plattform
wordpress
Komponente
auto-alt-text
Behoben in
2.5.3
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Auto Alt Text WordPress plugin. This flaw allows an attacker to potentially perform unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability affects versions from 0.0.0 through 2.5.2, and a patch is available in version 2.5.3.
The CSRF vulnerability in Auto Alt Text allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could lead to an attacker modifying image alt text, potentially impacting SEO or defacing a website. While the direct impact might seem limited, CSRF vulnerabilities are often used as a stepping stone for more significant attacks, such as gaining access to administrative functions if other vulnerabilities are present. The blast radius depends on the permissions granted to the affected user account.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the Auto Alt Text plugin, particularly those with users who have administrative privileges or access to sensitive image assets, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could impact others.
• wordpress / composer / npm:
grep -r 'wp_nonce_url' /var/www/html/wp-content/plugins/auto-alt-text/• generic web:
curl -I https://example.com/wp-content/plugins/auto-alt-text/ | grep -i 'referer'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Auto Alt Text plugin to version 2.5.3 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, implement strict input validation and output encoding to prevent malicious data from being processed. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection.
Aktualisieren Sie auf Version 2.5.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62866 is a Cross-Site Request Forgery (CSRF) vulnerability in the Auto Alt Text WordPress plugin, allowing attackers to perform unauthorized actions if a user clicks a malicious link.
You are affected if you are using Auto Alt Text version 0.0.0 through 2.5.2. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Auto Alt Text plugin to version 2.5.3 or later to resolve the vulnerability. Consider implementing CSP and WAF rules as additional protection.
There is no confirmed active exploitation of CVE-2025-62866 at this time, but the vulnerability is publicly known and could be targeted.
Refer to the Auto Alt Text plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.