Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
CVE-2026-3722: WordPress plugin allows malicious scripts in image metadata
CVE-2026-3722
Summary
The Auto Image Attributes plugin for WordPress has a security flaw that allows attackers with certain permissions to inject malicious code into image metadata. This could potentially allow them to execute scripts on websites that use the plugin. To stay safe, update the plugin to the latest version or consider replacing it with a different plugin.
Original title
The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment metadata in ...
Original description
The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment metadata in all versions up to, and including, 4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 2 Jun 2026 · Updated: 2 Jun 2026 · First seen: 2 Jun 2026