The vulnerability identified as CVE-2025-12113 affects the 'Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images' WordPress plugin developed by webtoffee. The root cause is a missing authorization check (CWE-862) in the atgai_delete_api_key() function, which is responsible for deleting the API key associated with the plugin. This API key is critical for the plugin's operation, enabling it to connect to external AI services to generate alt text for images in bulk. Because the function lacks proper capability verification, any authenticated user with at least Subscriber-level privileges can invoke this function and delete the API key. This leads to a loss of integrity as the plugin's ability to perform its intended function is compromised, potentially causing disruption in accessibility features relying on alt text generation. The vulnerability has a CVSS v3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and availability but notable impact on integrity. Exploitation is straightforward since it requires only authenticated access at a low privilege level and no user interaction. The vulnerability affects all versions up to 1.8.3, with no patches currently linked. No known exploits have been reported in the wild as of the publication date (November 12, 2025).

The primary impact of this vulnerability is the unauthorized deletion of the API key used by the plugin, which can disrupt the automated generation and bulk updating of alt texts for images on WordPress sites. This can degrade website accessibility, potentially affecting compliance with accessibility standards such as WCAG. While it does not directly expose sensitive data or cause denial of service, the loss of API key integrity can interrupt workflows relying on AI-generated alt text, impacting user experience and site functionality. Organizations relying heavily on this plugin for accessibility or SEO purposes may face operational challenges. Additionally, if attackers delete the API key repeatedly, it could lead to administrative overhead and potential downtime while restoring functionality. Since the vulnerability requires only Subscriber-level access, it increases risk in environments where user accounts are not tightly controlled or where attackers can gain low-level access through other means.

To mitigate this vulnerability, organizations should immediately upgrade the plugin to a version that includes proper authorization checks once available. Until a patch is released, administrators should restrict Subscriber-level user capabilities or remove unnecessary user accounts to limit potential exploitation. Implementing strict user role management and monitoring for suspicious activity related to API key deletion attempts is advisable. Additionally, site administrators can consider temporarily disabling the plugin or restricting access to the API key management functions via custom code or security plugins that enforce capability checks. Regular backups of the API key and plugin settings should be maintained to enable quick restoration if deletion occurs. Monitoring WordPress logs for calls to the atgai_delete_api_key() function can help detect exploitation attempts early. Finally, educating users about the risks of unauthorized access and enforcing strong authentication policies will reduce the likelihood of exploitation.