Search criteria
4 vulnerabilities found for instant_images_-_one_click_unsplash_uploads by connekthq
CVE-2024-0869 (GCVE-0-2024-0869)
Vulnerability from nvd – Published: 2024-02-05 21:21 – Updated: 2024-08-27 16:33
VLAI?
Summary
The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| connekthq | Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels |
Affected:
* , ≤ 6.1.0
(semver)
|
Credits
Sean Murphy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T16:33:16.390333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T16:33:26.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:18:18.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/instant-images/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Instant Images \u2013 One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels",
"vendor": "connekthq",
"versions": [
{
"lessThanOrEqual": "6.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Instant Images \u2013 One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T21:21:34.214Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91"
},
{
"url": "https://wordpress.org/plugins/instant-images/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-29T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0869",
"datePublished": "2024-02-05T21:21:34.214Z",
"dateReserved": "2024-01-24T19:23:08.086Z",
"dateUpdated": "2024-08-27T16:33:26.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24334 (GCVE-0-2021-24334)
Vulnerability from nvd – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
VLAI?
Title
Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
Summary
The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Instant Images – One Click Unsplash Uploads |
Affected:
4.4.0.1 , < 4.4.0.1
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-22%5D-%5BWordPress%5D-%5BCWE-79%5D-Instant-Images-WordPress-Plugin-v4.4.0.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Instant Images \u2013 One Click Unsplash Uploads",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.4.0.1",
"status": "affected",
"version": "4.4.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Instant Images \u2013 One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:33:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-22%5D-%5BWordPress%5D-%5BCWE-79%5D-Instant-Images-WordPress-Plugin-v4.4.0.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Instant Images WordPress Plugin \u003c 4.4.0.1 - Authenticated Stored XSS \u0026 XFS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24334",
"STATE": "PUBLIC",
"TITLE": "Instant Images WordPress Plugin \u003c 4.4.0.1 - Authenticated Stored XSS \u0026 XFS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Instant Images \u2013 One Click Unsplash Uploads",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4.0.1",
"version_value": "4.4.0.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Instant Images \u2013 One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-04-22]-[WordPress]-[CWE-79]-Instant-Images-WordPress-Plugin-v4.4.0.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-04-22]-[WordPress]-[CWE-79]-Instant-Images-WordPress-Plugin-v4.4.0.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24334",
"datePublished": "2021-06-01T11:33:31",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0869 (GCVE-0-2024-0869)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2024-08-27 16:33
VLAI?
Summary
The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| connekthq | Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels |
Affected:
* , ≤ 6.1.0
(semver)
|
Credits
Sean Murphy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T16:33:16.390333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T16:33:26.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:18:18.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/instant-images/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Instant Images \u2013 One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels",
"vendor": "connekthq",
"versions": [
{
"lessThanOrEqual": "6.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Instant Images \u2013 One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T21:21:34.214Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instant-images/tags/6.1.0/api/license.php#L91"
},
{
"url": "https://wordpress.org/plugins/instant-images/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3027110/instant-images/tags/6.1.1/api/license.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-29T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0869",
"datePublished": "2024-02-05T21:21:34.214Z",
"dateReserved": "2024-01-24T19:23:08.086Z",
"dateUpdated": "2024-08-27T16:33:26.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24334 (GCVE-0-2021-24334)
Vulnerability from cvelistv5 – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
VLAI?
Title
Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
Summary
The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Instant Images – One Click Unsplash Uploads |
Affected:
4.4.0.1 , < 4.4.0.1
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-22%5D-%5BWordPress%5D-%5BCWE-79%5D-Instant-Images-WordPress-Plugin-v4.4.0.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Instant Images \u2013 One Click Unsplash Uploads",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.4.0.1",
"status": "affected",
"version": "4.4.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Instant Images \u2013 One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:33:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-22%5D-%5BWordPress%5D-%5BCWE-79%5D-Instant-Images-WordPress-Plugin-v4.4.0.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Instant Images WordPress Plugin \u003c 4.4.0.1 - Authenticated Stored XSS \u0026 XFS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24334",
"STATE": "PUBLIC",
"TITLE": "Instant Images WordPress Plugin \u003c 4.4.0.1 - Authenticated Stored XSS \u0026 XFS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Instant Images \u2013 One Click Unsplash Uploads",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4.0.1",
"version_value": "4.4.0.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Instant Images \u2013 One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/ae79189a-6b63-4110-9567-cd7c97d71e4f"
},
{
"name": "https://m0ze.ru/vulnerability/[2021-04-22]-[WordPress]-[CWE-79]-Instant-Images-WordPress-Plugin-v4.4.0.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/[2021-04-22]-[WordPress]-[CWE-79]-Instant-Images-WordPress-Plugin-v4.4.0.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24334",
"datePublished": "2021-06-01T11:33:31",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}