WordPress Plugin Vulnerabilities

WPZOOM Social Feed Widget & Block < 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion

Description

The WPZOOM Social Feed Widget & Block plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpzoom_instagram_clear_data() function in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all Instagram images installed on the site.

Affects Plugins

Plugin icon
instagram-widget-by-wpzoom
Fixed in 2.1.14

References

CVE
CVE-2024-3662
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e3a70510-51c8-49c3-933b-79e79dfb8611

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Thura Moe Myint (mgthuramoemyint)
Verified
No
WPVDB ID
ce5c7c05-dfb4-411a-ad6d-f1947130c76f

Timeline

Publicly Published
2024-04-12 (about 2 years ago)
Added
2024-04-12 (about 2 years ago)
Last Updated
2024-04-12 (about 2 years ago)

Other

Published
Title
Published
2025-06-12
Title
Arconix FAQ < 1.9.7 - Missing Authorization
Published
2025-11-10
Title
Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
Published
2024-12-03
Title
Accessibility by AllAccessible < 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update
Published
2024-07-16
Title
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.27 - Missing Authorization
Published
2026-01-22
Title
Hospital Doctor Directory <= 1.3.9 - Missing Authorization