The Bulk Image Alt Text plugin for WordPress is vulnerable to stored cross‑site scripting because the "bialty_cs_alt" post meta field is not properly validated or escaped when saving data. An attacker who has at least contributor permissions can inject arbitrary JavaScript into this meta field, which is later rendered unescaped in the post editor. When an administrator opens the editor for the affected post, the injected script executes within the administrator’s browser context, allowing the attacker to steal the administrator’s session, deface the site, or perform further actions on the site’s backend.

This flaw affects the Bulk Image Alt Text (Alt tag, Alt attribute) optimizer plugin, published by pagup, for all versions up to and including 2.2.1. The plugin is used on WordPress sites that also run WooCommerce. Any site running one of these plugin versions is vulnerable.

The CVSS score of 6.4 indicates a moderate‑severity issue, and the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication at the contributor level or higher; the attacker must inject the script through the backend interface, and the impact materializes when an administrator accesses the post editor where the unsanitized meta data is displayed.