The Alt Text Generator AI plugin for WordPress contains a missing capability check on the atgai_delete_api_key() function. This flaw allows any authenticated user with Subscriber-level access or higher to delete the API key associated with the site. Removing the key disables the plugin’s AI assistance, causing a loss of service functionality and potentially exposing underlying data if the key was used for sensitive operations. The weakness is classified as CWE-862, a missing authorization vulnerability.

The vulnerability affects the WebToffee Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images WordPress plugin. All releases up to, and including, 1.8.3 are impacted. The affected product is the plugin itself, and any WordPress installations that have this plugin installed at an affected version.

The CVSS v3.1 base score for this flaw is 4.3, indicating a medium risk from a technical standpoint. However, the EPSS score is below 1%, implying a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires that the attacker be authenticated with at least Subscriber-level privileges, the attack vector is internal. A legitimate subscriber could trigger the deletion endpoint to invalidate the AI key, disrupting workflow or potentially exposing private data if the key is used to interface with external services. The overall risk remains moderate due to the need for valid credentials and the low exploitation likelihood.