Alt Text AI Vulnerable to SQL Injection Attacks
CVE-2024-4847

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Alt Text Ai – Automatically Generate Image Alt Text For Seo And Accessibility
Vendor: CVE Published:; 15 May 2024

Summary

The Alt Text AI Plugin for WordPress, designed for automatically generating image alt text to enhance SEO and accessibility, is susceptible to a generic SQL injection flaw. This vulnerability arises from inadequate escaping of the 'last_post_id' parameter, exposing the SQL query to manipulation. Authenticated users with Subscriber-level access and higher can exploit this weakness by injecting additional SQL commands into existing database queries, leading to potential extraction of sensitive data. It is crucial for users of versions up to and including 1.4.9 to apply security updates promptly to mitigate this risk.

Affected Version(s)

Alt Text AI – Automatically generate image alt text for SEO and accessibility * <= 1.4.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/alttext-ai/tru...

https://plugins.trac.wordpress.org/changeset/3086107/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 15, 2024
Vulnerability Reserved
May 13, 2024

Credit

Lucio Sá