Description
The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage(), which dispatches to launchbulk() / BulkSeoImageGo() whenever the request contains $_POST['bulkseoimage']. No wp_nonce_field() is emitted in the form and no check_admin_referer()/wp_verify_nonce() is performed before bulk-overwriting the _wp_attachment_image_alt post meta for every image attached to every published post and/or page. This makes it possible for unauthenticated attackers to bulk-overwrite image ALT-text metadata across the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bulk SEO Image plugin for WordPress contains a CSRF flaw that results from omitted nonce validation in the settings handler. The vulnerability allows an attacker who can trick an administrator into sending a crafted POST request to force the plugin to overwrite the _wp_attachment_image_alt meta field for every image in all published posts and pages. This permission escalation permits unauthorized manipulation of alternate text, potentially harming search engine optimization, breaking accessibility, and erasing author intent. The weakness is identified as CWE‑352.

Affected Systems

Any WordPress site that has Bulk SEO Image version 1.1 or earlier installed, including the default 1.0 release and any variant with its settings page enabled, is affected. The flaw exists wherever the plugin’s settings handler is accessible to administrators.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate impact with a normal access vector. EPSS is not provided and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed exploitation in the wild. An unauthenticated attacker can exploit the flaw by sending a CSRF request from any domain, provided a site administrator follows a malicious link. Although it does not grant remote code execution, it facilitates widespread content alteration. Timely administrator awareness and patching are essential to mitigate the risk.

Generated by OpenCVE AI on June 24, 2026 at 09:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Bulk SEO Image to the latest version that includes proper nonce validation on the settings update page, removing the vulnerability.
  • If an up‑to‑date version is unavailable, deactivate or delete the plugin to eliminate the CSRF surface area.
  • As a temporary countermeasure, restrict the bulk‑update capability to the administrator role by adding an access‑control rule or employing a CSRF protection plugin that enforces nonce checks on POST requests to the admin area.

Generated by OpenCVE AI on June 24, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage(), which dispatches to launchbulk() / BulkSeoImageGo() whenever the request contains $_POST['bulkseoimage']. No wp_nonce_field() is emitted in the form and no check_admin_referer()/wp_verify_nonce() is performed before bulk-overwriting the _wp_attachment_image_alt post meta for every image attached to every published post and/or page. This makes it possible for unauthenticated attackers to bulk-overwrite image ALT-text metadata across the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:33.073Z

Reserved: 2026-06-11T15:22:23.979Z

Link: CVE-2026-11997

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)