MEDIUM 6.4

CVE-2026-3722: Stored XSS in WordPress Auto Image Attributes Plugin (v4.9 and Earlier)

A WordPress plugin called 'Auto Image Attributes From Filename With Bulk Updater' fails to properly clean and display user-supplied data in image metadata fields. This allows authenticated users with Author-level permissions or higher to embed malicious code into image properties. When site visitors view pages containing the injected image, that code runs in their browsers—potentially stealing session cookies, performing actions on their behalf, or redirecting them to malicious sites. The vulnerability affects all versions up to and including 4.9.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment metadata in all versions up to, and including, 4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-3722 is a Stored Cross-Site Scripting (XSS) vulnerability in the Auto Image Attributes From Filename With Bulk Updater WordPress plugin. The plugin processes attachment metadata without adequate input sanitization or output escaping, creating a window for arbitrary script injection. An authenticated attacker with Author-level or higher capabilities can manipulate attachment metadata fields to store malicious JavaScript. This payload persists in the WordPress database and executes in the DOM context of any page where that attachment is displayed or referenced, affecting all users who visit those pages. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Business impact

Compromised sites running vulnerable versions risk widespread defacement, credential harvesting, and malware distribution to site visitors. Because the XSS is stored, every page containing the injected image becomes a vector—multiplying exposure across your content library. Visitor trust erodes quickly once malicious behavior is detected. For multi-author sites or those with external contributor workflows, the threat surface widens significantly. Recovery requires identifying and removing all injected attachments and potentially clearing cached pages, creating operational burden and potential data loss.

Affected systems

WordPress sites running the Auto Image Attributes From Filename With Bulk Updater plugin in version 4.9 or earlier are at risk. The vulnerability requires authentication and Author-level permissions, so it does not affect sites where user registration or contributor access is tightly controlled. Multisite WordPress installations are particularly vulnerable if contributor roles are distributed broadly. Sites using the plugin's bulk update features are more likely to have been exposed to malicious input during batch operations.

Exploitability

Exploitation requires valid WordPress authentication with Author-level credentials or higher (Contributor role alone is insufficient). The attack vector is network-accessible and requires no special configuration or user interaction beyond normal page visits. CVSS scoring reflects a Medium severity (6.4) because the attack demands authenticated access and does not cause data loss or service disruption—only integrity compromise through XSS. However, the scope is marked as Changed because injected scripts affect all site visitors, not just the attacker's own sessions. In environments with loose access controls or compromised Author accounts, exploitability increases materially.

Remediation

Update the Auto Image Attributes From Filename With Bulk Updater plugin to a patched version released after 4.9. Verify the patch version against the official WordPress plugin repository or vendor advisory. Additionally, conduct a post-incident review: audit all users with Author access and above, review attachment metadata for suspicious content, and consider implementing a Web Application Firewall (WAF) rule to detect and block script-like patterns in image metadata fields. For sites unable to update immediately, restrict Author-level access to trusted staff only and disable the plugin's bulk update feature until a fix is applied.

Patch guidance

Monitor the Auto Image Attributes From Filename With Bulk Updater plugin repository for a security release. Verify against the vendor advisory that the patch version addresses CWE-79 input validation and escaping. Test the update in a staging environment before production deployment to ensure compatibility with your custom image handling workflows. After patching, purge any cached pages and clear browser caches to ensure injected content is not served from stale copies. If the vendor has not released a patch, consider temporary disablement of the plugin and manual image attribute management.

Detection guidance

Check WordPress admin for any installed versions of the Auto Image Attributes From Filename With Bulk Updater plugin and note the version number. Inspect image attachment metadata in the WordPress Media Library for suspicious HTML or JavaScript patterns—particularly in the alt text, title, and description fields. Review the WordPress user roster for Author-level accounts; flag any with unusual creation dates or access patterns. Monitor your web application firewall or content delivery network logs for suspicious script execution originating from image asset URLs. Use WordPress security plugins configured to detect stored XSS patterns in post and attachment metadata.

Why prioritize this

Although scored as Medium severity, this vulnerability merits prompt attention because (1) XSS payloads persist across the entire site and affect all visitors, not just authenticated users; (2) legitimate content management workflows regularly expose attachment metadata; (3) Author-level access is often granted to contractors and external teams; and (4) stored XSS chains frequently with other attacks to steal credentials or spread malware. Sites with high traffic or sensitive visitor bases should prioritize immediately; others can schedule patching within standard maintenance windows.

Risk score, explained

CVSS 3.1 score of 6.4 (Medium) reflects: Network-accessible attack vector with no special setup required; Low privilege requirement (authenticated Author-level); No user interaction needed on the attacker's part; Scope changed because visitor browsers execute the injected code in a context separate from the attacker's own; Confidentiality and Integrity impacts are Low (session hijacking or defacement are possible but not guaranteed to cause data exfiltration or system failure); Availability is unaffected (no denial of service). The score does not escalate to High because exploitation requires valid authentication credentials and WordPress administrative access is typically restricted.

Frequently asked questions

If I have a custom Author account with limited permissions, am I safe from this vulnerability?

Not entirely. If that account's credentials are compromised—through phishing, password reuse, or social engineering—an attacker can use it to inject malicious metadata. The vulnerability itself requires Author-level access, but the attack surface includes any person or service with those permissions. Restrict Author access to fully trusted staff and monitor account activity.

Does this vulnerability affect sites that only use the plugin for bulk alt text updates and never allow external uploads?

If your site never accepts user-supplied images and only administrators perform bulk updates, your risk is lower but not zero. A compromised admin account or a malicious administrator remains a threat. In controlled environments, this vulnerability is primarily an integrity risk rather than a widespread attack vector.

Can I detect if my site has been exploited by this vulnerability?

Yes. Check your Media Library for image metadata (alt text, title, description) containing HTML tags, script tags, or event handlers (like onclick=). Review your page source code for unexpected JavaScript references near image elements. Check WordPress security audit logs if available. Contact your hosting provider or security team for forensic assistance if you suspect compromise.

What is the difference between updating the plugin and disabling it entirely?

Updating is the recommended path—it preserves functionality while removing the vulnerability. Disabling stops the risk but removes features your site may depend on (bulk metadata assignment, SEO optimization). If the vendor has not released a timely patch, disabling is a safer interim measure, but plan to update or migrate to an alternative plugin as soon as possible.

This analysis is provided for informational purposes and reflects the state of vulnerability information as of the publication date. Vendor patch availability, version numbers, and remediation timelines are subject to change. Organizations should verify patch status directly with the official WordPress plugin repository and vendor advisory before deploying updates. Testing in non-production environments is mandatory. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made based on this content. Always consult your security team and conduct your own risk assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).