CVE-2025-12113 identifies a missing authorization vulnerability (CWE-862) in the WordPress plugin 'Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images' developed by webtoffee. The vulnerability exists in all versions up to and including 1.8.3. Specifically, the function atgai_delete_api_key() lacks proper capability checks, enabling any authenticated user with at least Subscriber-level privileges to invoke this function and delete the API key associated with the plugin. The API key is critical for the plugin's operation, as it likely facilitates communication with external AI services for generating alt text. By deleting this key, an attacker can disrupt the plugin's ability to auto-generate or bulk update alt texts, impacting website accessibility and SEO. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), no user interaction, and unchanged scope. There is no confidentiality or availability impact, but integrity is affected due to unauthorized modification of the API key. No known exploits have been reported, and no patches have been released at the time of publication. The vulnerability was reserved on 2025-10-23 and published on 2025-11-12. The plugin is used on WordPress sites, which are widespread globally, including Europe. The vulnerability could be exploited by malicious insiders or compromised accounts with Subscriber or higher privileges to degrade site functionality.

For European organizations, the primary impact is operational disruption of the alt text generation functionality on WordPress sites using this plugin. This can affect website accessibility compliance, SEO rankings, and user experience, especially for organizations relying on automated alt text for large image repositories. While the vulnerability does not expose sensitive data or cause denial of service, the loss of the API key could require administrative intervention to restore plugin functionality, increasing operational overhead. Organizations with multiple users having Subscriber or higher roles are at increased risk, as any such user could exploit this flaw. This vulnerability could be leveraged in targeted attacks to degrade web presence or accessibility compliance, which is critical under EU regulations such as the Web Accessibility Directive. Although no direct data breach risk exists, the integrity loss and potential disruption could indirectly affect trust and compliance posture.

1. Immediately restrict Subscriber and other low-privilege user roles from accessing or invoking plugin functions related to API key management by applying custom capability restrictions or role hardening plugins. 2. Monitor WordPress user activities for suspicious API key deletion attempts, using audit logging plugins or SIEM integration. 3. Limit the number of users with Subscriber or higher privileges to only those necessary, enforcing the principle of least privilege. 4. Regularly back up the API key and plugin configuration to enable quick restoration if deletion occurs. 5. Contact the plugin vendor (webtoffee) for updates or patches and apply them promptly once available. 6. Consider temporarily disabling or replacing the plugin if the risk is unacceptable and no patch is available. 7. Educate site administrators and users about the risk of privilege misuse and enforce strong authentication controls to prevent account compromise. 8. Review and harden WordPress security configurations to reduce the risk of unauthorized access to authenticated accounts.