CVE-2025-12113 identifies a missing authorization vulnerability (CWE-862) in the 'Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images' WordPress plugin developed by webtoffee. The vulnerability resides in the atgai_delete_api_key() function, which lacks proper capability checks to verify if the authenticated user has sufficient privileges to perform the API key deletion. As a result, any authenticated user with at least Subscriber-level access can invoke this function to delete the API key associated with the plugin. The API key is critical for the plugin's operation, enabling it to connect to external AI services for generating and bulk updating alt text for images. Deletion of this key disrupts the plugin’s functionality, potentially causing loss of automated alt text generation capabilities, which can impact website accessibility and SEO. The vulnerability is remotely exploitable over the network without user interaction beyond authentication. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality and availability but a partial impact on integrity. The vulnerability affects all plugin versions up to and including 1.8.3. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The flaw highlights the importance of implementing proper authorization checks in WordPress plugins, especially those handling sensitive API keys or configuration data.

For European organizations, this vulnerability can lead to disruption of automated alt text generation on WordPress websites, which may degrade web accessibility compliance and SEO performance. While it does not expose sensitive data or cause service outages, the loss of API keys can interrupt workflows relying on AI-generated alt text, potentially increasing manual workload and reducing site quality. Organizations with multiple users having Subscriber-level or higher access are at greater risk, as any such user could exploit this flaw. This could be particularly impactful for e-commerce, media, and public sector websites that rely heavily on image accessibility. Additionally, the integrity of the website’s content management process is compromised, which could indirectly affect user trust and regulatory compliance related to accessibility standards such as the EU Web Accessibility Directive. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as automated scanning tools may detect vulnerable installations.

Until an official patch is released, European organizations should implement the following mitigations: 1) Restrict WordPress user roles to the minimum necessary, avoiding granting Subscriber-level or higher access to untrusted users. 2) Monitor and audit user activities related to plugin settings and API key management to detect unauthorized attempts to delete API keys. 3) Employ WordPress security plugins or custom code to add additional authorization checks around the atgai_delete_api_key() function, if feasible. 4) Regularly back up the API key and plugin configuration to enable quick restoration if deletion occurs. 5) Disable or remove the plugin if it is not essential, or replace it with alternative plugins that have verified secure authorization controls. 6) Stay informed about updates from the vendor and apply patches promptly once available. 7) Consider implementing web application firewalls (WAFs) with rules to detect and block suspicious API key deletion requests. These steps go beyond generic advice by focusing on user role management, monitoring, and temporary compensating controls specific to this vulnerability.