Unauthorized Options Update Vulnerability in Instant Images Plugin for WordPress by Unsplash, Openverse, Pixabay, and Pexels
CVE-2024-0869

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Instant Images – One Click Image Uploads From Unsplash, Openverse, Pixabay And Pexels
Vendor: CVE Published:; 5 February 2024

Summary

The Instant Images plugin for WordPress, which integrates resources from Unsplash, Openverse, Pixabay, and Pexels to facilitate one-click image uploads, is susceptible to an unauthorized arbitrary options update. This vulnerability arises from an inadequate validation process that fails to confirm whether the updated option pertains to the plugin itself on the instant-images/license REST API endpoint. This flaw is present in all versions up to and including 6.1.0, allowing users with author-level permissions or higher to modify arbitrary options within the plugin, which could lead to potential misconfigurations or unauthorized functionalities.

Affected Version(s)

Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels * <= 6.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/instant-images...

https://wordpress.org/plugins/instant-images/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 5, 2024
Vulnerability Reserved
Jan 24, 2024

Credit

Sean Murphy