WordPress Plugin Vulnerabilities

Instant Images < 6.1.1 - Author+ Arbitrary Options Update

Description

The plugin is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint, allowing authors and higher to update arbitrary options.

Affects Plugins

Plugin icon
instant-images
Fixed in 6.1.1

References

CVE
CVE-2024-0869
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Sean Murphy
Verified
Yes
WPVDB ID
940aceb6-0bd0-48a7-be88-ff359c1c165c

Timeline

Publicly Published
2024-01-29 (about 2 years ago)
Added
2024-01-31 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2026-04-08
Title
AWP Classifieds < 4.4.5 - Missing Authorization
Published
2022-07-26
Title
Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion
Published
2023-09-29
Title
WP Custom Admin Interface < 7.33 - Missing Authorization to Transients Deletion
Published
2024-03-29
Title
Integrate Google Drive < 1.3.9 - Missing Authorization to Unauthenticated Settings Modification and Export
Published
2024-12-19
Title
Premium Addons for Elementor < 4.10.57 - Missing Authorization