WordPress Plugin Vulnerabilities

Automatic Featured Images from Videos < 1.2.8 - Missing Authorization

Description

The Automatic Featured Images from Videos plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
automatic-featured-images-from-videos
Fixed in 1.2.8

References

CVE
CVE-2026-24535
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fa85b4-df6e-4b7d-9b8b-940c5f102556

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
3c8df3e2-e739-4f30-b1fa-08328218d2c5

Timeline

Publicly Published
2026-01-25 (about 3 months ago)
Added
2026-01-28 (about 3 months ago)
Last Updated
2026-01-28 (about 3 months ago)

Other

Published
Title
Published
2026-03-10
Title
EventPrime – Events Calendar, Bookings and Tickets < 4.2.7.0 - Missing Authorization
Published
2026-02-21
Title
Diet Calorie Calculator <= 1.1.1 - Missing Authorization
Published
2025-03-27
Title
Specific Content For Mobile < 0.5.4 - Missing Authorization
Published
2025-07-07
Title
LoginWP - Pro < 4.0.8.6 - Missing Authorization
Published
2026-01-23
Title
AIKTP < 5.0.05 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions