WordPress Plugin Vulnerabilities

Bulk Auto Image Title Attribute <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Bulk Auto Image Title Attribute plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
bulk-image-title-attribute
No known fix

References

CVE
CVE-2025-62921
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/41315d40-0e93-480a-b85f-f3e4c8fa299a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
847993ae-937b-49f8-b912-88b85417c916

Timeline

Publicly Published
2025-10-04 (about 6 months ago)
Added
2025-10-29 (about 5 months ago)
Last Updated
2025-10-29 (about 5 months ago)

Other

Published
Title
Published
2022-02-02
Title
Advanced iFrame < 2022 - Reflected Cross-Site Scripting
Published
2024-04-16
Title
Attesa Extra < 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-20
Title
Shortcodes and extra features for Phlox theme < 2.17.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget
Published
2023-01-06
Title
Post Grid, Post Carousel, & List Category Posts < 2.4.19 - Contributor+ Stored XSS
Published
2025-09-22
Title
Photo Gallery by Ays < 6.3.9 - Contributor+ Stored XSS