The Auto Featured Image (Auto Post Thumbnail) WordPress plugin contains a missing capability check in the bulk_action_generate_handler function. This flaw allows an authenticated user with Contributor or higher privileges to delete or generate featured images on posts that they do not own, effectively enabling unauthorized modification of post thumbnails. The vulnerability is a classic missing authorization issue (CWE‑862) and could be used to deface a site’s visual presentation or mislead visitors by altering featured media on content they have no right to modify. While it does not provide remote code execution or direct data exfiltration, it elevates a contributor’s influence over the appearance of other users’ posts.

The vulnerability exists in all released versions of the Auto Featured Image (Auto Post Thumbnail) plugin up to and including 4.2.1, released by ThemeIsle. WordPress sites that have installed this plugin and have users with Contributor or higher capabilities are potentially affected.

The CVSS score of 4.3 indicates moderate severity, and an EPSS score of less than 1% reflects a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated WordPress account with Contributor or higher access, so the attack vector is an authenticated web application action via the WordPress management interface. Users with the appropriate role can trigger the bulk action without additional credentials, making the vulnerability straightforward to exploit for those who already have contributor-level access.