Missing authorization in the WordPress Automatic Featured Images from Videos plugin permits attackers to bypass intended access restrictions to plugin functionality. The flaw stems from an incorrectly configured access control mechanism that fails to validate user permissions before exposing administrative operations such as generating or managing featured images from video files. As a result, unauthenticated or insufficiently privileged users could gain the ability to execute plugin features they should not access, potentially leading to privilege escalation or unauthorized content manipulation.

The vulnerability affects installations of the Automatic Featured Images from Videos plugin by webdevstudios on WordPress websites running any version through 1.2.4. Users who have not upgraded beyond this version remain exposed.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests exploit opportunities are currently rare, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is likely remote, engaged through the web interface, and would require that the attacker can reach the plugin’s administrative endpoints. Although the overall risk is moderate, remediation is still advised to eliminate the possibility of unauthorized use of plugin features.