This vulnerability is a missing authorization flaw that permits users to perform actions on the WordPress site that should be restricted. The flaw can allow an attacker to add, edit, or delete image alternative text entries, potentially injecting content or altering metadata without the appropriate permissions. The primary impact is the elevation of privileges to control content that is normally protected, which may lead to broader site compromise if the plugin connects to other privileged functions.

The affected product is WP Messiah:Ai Image Alt Text Generator for WP, with all releases up to and including version 1.1.5 vulnerable. No other versions are listed as affected.

The CVSS score of 8.2 classifies this issue as high severity. Although the EPSS score is less than 1%, indicating a low overall exploitation probability, the vulnerability remains significant because it is an access‑control bypass that can be triggered by available plugin endpoints. The plugin is not listed in the CISA KEV catalog, so no known public exploit is confirmed. The likely attack vector is through the web interface or API calls to the plugin, where an attacker with any authenticated or unauthenticated session might exploit the missing checks depending on the site’s configuration.