WordPress Plugin Vulnerabilities

Featured Image from URL < 4.8.2 - Missing Authorization

Description

The Featured Image from URL plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fifu_save_sizes_api() function in versions up to, and including, 4.8.1. This makes it possible for unauthenticated attackers to update size settings.

Affects Plugins

Plugin icon
featured-image-from-url
Fixed in 4.8.2

References

CVE
CVE-2024-37276
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/20813a6f-672e-4c06-a5a6-737483f4d402

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
d433f0f7-859d-45d4-a652-13f9a4992a05

Timeline

Publicly Published
2024-06-28 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2025-03-04
Title
WordPress Awesome Import & Export Plugin - Import & Export WordPress Data <= 4.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Execution/Privilege Escalation
Published
2025-01-16
Title
WPLingo – Forum Plugin <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2024-08-07
Title
Easy Digital Downloads < 3.3.1 - Missing Authorization
Published
2023-11-14
Title
WP Courses LMS < 3.2.4 - Subscriber+ Arbitrary Options Update
Published
2025-04-07
Title
Hive Support < 1.2.6 - Missing Authorization