WordPress Auto Featured Image Plugin Missing Authorization Vulnerability in Bulk Action Handler

A vulnerability exists in the Auto Featured Image (Auto Post Thumbnail) plugin for WordPress, in all versions through 4.2.1. The issue arises from a lack of proper capability checks in the bulk_action_generate_handler function, allowing authenticated attackers with Contributor-level access or higher to manipulate featured images on posts they do not own. This includes the unauthorized deletion or generation of featured images.

Impact

Exploitation of this vulnerability allows for unauthorized modification of post thumbnail data, enabling attackers to delete or add featured images on posts they do not own.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access can use the bulk action feature to delete or generate featured images on posts they do not own. This can be done by selecting the appropriate bulk action option and applying it to the targeted posts.

Remediation

Users are advised to update the Auto Featured Image (Auto Post Thumbnail) plugin to version 4.2.2 or a newer patched version.