The Bulk Auto Image Alt Text optimizer plugin for WordPress, developed by pagup, suffers from a stored XSS vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the 'bialty_cs_alt' post meta field does not properly sanitize or escape input, allowing authenticated contributors or higher to inject arbitrary JavaScript. This script executes in the context of administrators when they access the post editor, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to and including 2.2.1. The CVSS 3.1 base score is 6.4 (medium), with network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and impacts on confidentiality and integrity but not availability. No patch or vendor advisory is currently available, and no known exploits have been reported.

An attacker with contributor-level access or higher can inject persistent malicious scripts into the WordPress backend via the vulnerable plugin. These scripts execute when an administrator accesses the post editor, potentially compromising administrator sessions or performing unauthorized actions within the admin context. The impact affects confidentiality and integrity but does not affect availability. Since the attacker must have authenticated access at contributor level or above, the risk is limited to environments where such user roles exist.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the vulnerable plugin if possible. Monitor for updates from the plugin vendor (pagup) or WordPress plugin repository regarding patches or security updates addressing this vulnerability.