WordPress Plugin Vulnerabilities

ImageRecycle pdf & image compression < 3.1.14 - Missing Authorization to Settings Update in enableOptimization

Description

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enableOptimization function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable image optimization.

Affects Plugins

Plugin icon
imagerecycle-pdf-image-compression
Fixed in 3.1.14

References

CVE
CVE-2024-0983
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/175dd04d-ce06-45a0-8cfe-14498e2f9198

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
a2e6b628-6e37-4a8f-92fe-fee22c8b91f1

Timeline

Publicly Published
2024-02-07 (about 2 years ago)
Added
2024-02-07 (about 2 years ago)
Last Updated
2024-02-07 (about 2 years ago)

Other

Published
Title
Published
2024-05-31
Title
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.2.1 - Missing Authorization to Privilege Escalation
Published
2024-05-20
Title
Crafthemes Demo Import <= 3.3 - Missing Authorization to Arbitrary Plugin Installation
Published
2026-01-08
Title
Tutor LMS – eLearning and online course solution < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass
Published
2025-12-28
Title
HR Management Lite <= 3.5 - Missing Authorization
Published
2025-04-01
Title
WP AutoKeyword <= 1.0 - Missing Authorization to Arbitrary Content Deletion