Enjoy Social Feed <= 6.2.2 – Unauthenticated Arbitrary Instagram Account Unlinking | CVE 2024-0779 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example

Proof of Concept

As unauthenticated, open the following URL to unlink the Instagram account of the user with ID 5:

https://example.com/wp-admin/admin-post.php?action=enjoyinstagram-remove-user&user_id=5&tab=users-settings

Affects Plugins

enjoy-instagram-instagram-responsive-images-gallery-and-carousel

No known fix

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

ced134cf-82c5-401b-9476-b6456e1924e2

Timeline

Publicly Published

2024-02-20 (about 1 year ago)

Added

2024-02-20 (about 1 year ago)

Last Updated

2024-02-20 (about 1 year ago)

Other

Published

Title

Published

2025-10-15

Title

Classified Pro < 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Published

2025-10-20

Title

KiotViet Sync <= 1.8.5 - Missing Authorization

Published

2025-07-29

Title

Bookify < 1.0.10 - Authenticated (Subscriber+) Privilege Escalation

Published

2024-12-11

Title

Gou Manage My Account Menu < 1.0.1.9 - Missing Authorization

Published

2025-11-09

Title

Seriously Simple Podcasting < 3.14.0 - Missing Authorization