Image Watermark < 1.7.4 – Missing Authorization to Authenticated (Subscriber+) Watermark Modification | CVE 2024-1994 | Plugin Vulnerabilities

Description

The Image Watermark plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the watermark_action_ajax() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to apply and remove watermarks from images.

Affects Plugins

image-watermark

Fixed in 1.7.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/31a66e30-972b-4a7b-9d47-ad7abd574e36

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

dfffe319-d3da-4a50-80ad-65e1d23c6eaa

Timeline

Publicly Published

2024-04-05 (about 2 years ago)

Added

2024-04-05 (about 2 years ago)

Last Updated

2024-04-05 (about 2 years ago)

Other

Published

Title

Published

2024-05-20

Title

ShopLentor < 2.8.9 - Authenticated Option Update

Published

2024-04-25

Title

Barcode Scanner with Inventory & Order Manager < 1.5.4 - Missing Authorization

Published

2026-06-02

Title

Employee, Leave and Recruitment Management System – Crew HRM < 1.2.3 - Missing Authorization

Published

2026-05-12

Title

RTMKit Addons for Elementor < 2.0.3 - Authenticated (Author+) Missing Authorization to Widget Configuration Modification

Published

2025-04-16

Title

WooCommerce Product Table Lite < 3.9.6 - Missing Authorization