CVE-2024-0869

EUVD-2024-16652
The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
WordfenceCNA
8.8 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
connekthqinstant_images_-_one_click_unsplash_uploads
𝑥
≤ 6.1.0
𝑥
= Vulnerable software versions
References
https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91
https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php
https://wordpress.org/plugins/instant-images/
https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve
https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91
https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php
https://wordpress.org/plugins/instant-images/
https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve