ImageRecycle pdf & image compression < 3.1.14 – Missing Authorization to Plugin Data Removal in reinitialize | CVE 2024-1091 | Plugin Vulnerabilities

Description

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reinitialize function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to remove all plugin data.

Affects Plugins

imagerecycle-pdf-image-compression

Fixed in 3.1.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb8b08c-a028-48bd-acad-c00313fe06b8

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

cec4e455-b51c-49f9-a817-6e0c422f844a

Timeline

Publicly Published

2024-02-07 (about 2 years ago)

Added

2024-02-07 (about 2 years ago)

Last Updated

2024-02-07 (about 2 years ago)

Other

Published

Title

Published

2025-04-07

Title

Specia Companion <= 6.2 - Missing Authorization

Published

2025-06-27

Title

ChatBot < 6.7.5 - Missing Authorization

Published

2024-04-10

Title

Popup by Supsystic < 1.10.28 - Missing Authorization

Published

2026-03-03

Title

Enable Media Replace < 4.1.8 - Author+ Arbitrary Attachment Change via Background Replace

Published

2024-09-04

Title

HelloAsso < 1.1.11 - Missing Authorization to Authenticated (Contributor+) Limited Options Update