The Auto Post After Image Upload plugin has a missing authorization check that enables an attacker to exploit improperly configured access control levels. Because the plugin fails to verify user permissions before allowing image uploads to trigger automated post creation, a malicious user could cause arbitrary content to be published on the site. This results in compromised content integrity and potential defacement, aligning with CWE‑862 – Broken Access Control.

All users of the Shaharia Azam Auto Post After Image Upload plugin with versions from the earliest release and including all releases up to and including 1.6 are affected. No later version is mentioned as patched, so any installation using 1.6 or earlier is at risk.

The CVSS base score is 4.3, placing the vulnerability in the moderate range. The EPSS score is less than 1 %, indicating a low probability of active exploitation at the time of this analysis. The vulnerability is not included in the CISA KEV list. Likely attack vector involves a user with some level of site access who can upload images; the lack of proper authorization checks permits the automatic generation of posts without verification of privileges, suggesting that exploitation would require the attacker to be able to initiate the image upload process, likely through the plugin’s public interface or a compromised account. The exact exploitation method is not explicitly detailed in the advisory, so this assessment is inferred from the described broken access control.