WordPress Plugin Vulnerabilities

Easy Image Collage < 1.13.6 - Missing Authorization to Authenticated (Contributor+) Data Clearance

Description

The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts.

Affects Plugins

Plugin icon
easy-image-collage
Fixed in 1.13.6

References

CVE
CVE-2024-5863
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ceeefc3f-1cb7-48df-9978-258f015d93c7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
bdbd9e2b-6d1a-4784-a16b-e7e43da5bdc1

Timeline

Publicly Published
2024-06-27 (about 1 year ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2024-07-02 (about 1 year ago)

Other

Published
Title
Published
2025-04-01
Title
mb.YTPlayer <= 3.3.8 - Missing Authorization
Published
2023-06-26
Title
Subscribe2 – Form, Email Subscribers & Newsletters < 10.41 - Missing Access Controls
Published
2026-05-13
Title
Database Backup for WordPress < 2.5.3 - Missing Authorization to Unauthenticated Database Backup Interception
Published
2025-11-03
Title
Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One 2.0.7 - 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Post Creation
Published
2026-01-28
Title
Recipe Maker < 10.3.0 - Missing Authorization