WPZOOM Social Feed Widget & Block Vulnerability – Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion – CVE-2024-3662 | WordPress Plugin Vulnerability Report
Plugin Name: WPZOOM Social Feed Widget & Block
Key Information:
- Software Type: Plugin
- Software Slug: instagram-widget-by-wpzoom
- Software Status: Active
- Software Author: wpzoom
- Software Downloads: 1,824,393
- Active Installs: 80,000
- Last Updated: April 25, 2024
- Patched Versions: 2.1.14
- Affected Versions: <= 2.1.13
Vulnerability Details:
- Name: WPZOOM Social Feed Widget & Block <= 2.1.13
- Title: Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CVE: CVE-2024-3662
- CVSS Score: 4.3
- Publicly Published: April 12, 2024
- Researcher: Thura Moe Myint
- Description: The WPZOOM Social Feed Widget & Block plugin for WordPress is currently vulnerable due to a missing capability check in the wpzoom_instagram_clear_data() function. This vulnerability, affecting all versions up to and including 2.1.13, allows authenticated users at the subscriber level and above to delete all Instagram images from the site without proper authorization.
Summary:
The WPZOOM Social Feed Widget & Block for WordPress has a significant security vulnerability in versions up to and including 2.1.13 that enables authenticated users with subscriber-level permissions to inadvertently or maliciously delete Instagram images. This issue has been resolved in the latest patch, version 2.1.14.
Detailed Overview:
This vulnerability was identified by security researcher Thura Moe Myint and made public on April 12, 2024. It stems from a lack of sufficient security checks within the plugin's function to clear Instagram data, which should be restricted only to users with higher administrative privileges. The absence of these checks means that any user with subscriber-level access could trigger this function, leading to the potential loss of Instagram content linked through the plugin. The patch in version 2.1.14 addresses this issue by implementing the necessary authorization checks to prevent unauthorized access and modifications.
Advice for Users:
- Immediate Action: Update to the patched version 2.1.14 immediately to safeguard your Instagram feeds against unintended deletions.
- Check for Signs of Vulnerability: Administrators should review their site logs to determine if any unauthorized deletion of Instagram images has occurred and assess user roles to ensure only trusted users have subscriber-level access or higher.
- Alternate Plugins: Although the issue has been addressed, users concerned about potential vulnerabilities in the future may consider exploring other Instagram feed plugins that consistently demonstrate robust security practices.
- Stay Updated: Keeping your WordPress plugins updated to the latest version is crucial for maintaining site security and functionality.
Conclusion:
The prompt and effective response by WPZOOM to patch this vulnerability highlights the critical importance of timely updates in the ecosystem of WordPress plugins. Users are strongly advised to update their WPZOOM Social Feed Widget & Block plugin to version 2.1.14 or later to continue enjoying a secure and uninterrupted Instagram display experience on their WordPress sites.
References:
- Wordfence Vulnerability Report for WPZOOM Social Feed Widget & Block
- Wordfence Threat Intelligence on WPZOOM Plugins
Detailed Report:
In today's digital age, keeping your website secure is as crucial as keeping the doors locked in your physical business. The recent revelation of a critical vulnerability in the WPZOOM Social Feed Widget & Block plugin, which is popularly used by over 80,000 WordPress sites to display Instagram feeds, underscores this point dramatically. Known as CVE-2024-3662, this vulnerability exposes sites to risks where authenticated users with minimal subscriber-level access could delete Instagram images without proper authorization.
Summary:
The WPZOOM Social Feed Widget & Block for WordPress has a significant security vulnerability in versions up to and including 2.1.13 that permits users with minimal permissions to inadvertently or maliciously delete Instagram images. This serious issue has been resolved in the latest patch, version 2.1.14.
Detailed Overview:
Identified by security researcher Thura Moe Myint and publicly disclosed on April 12, 2024, the vulnerability is due to inadequate security checks within the plugin's function that manages Instagram data. The lack of stringent access controls could lead to unauthorized data deletions, impacting the visual content and user engagement on affected sites. The release of version 2.1.14 addresses this by implementing the necessary authorization checks to secure the data management functions of the plugin.
Previous Vulnerabilities:
The WPZOOM Social Feed Widget & Block has experienced various security updates, underscoring the importance of consistent monitoring and maintenance to address emergent security issues.
Conclusion:
The prompt and effective response by WPZOOM to patch this critical vulnerability underscores the essential role of regular updates in maintaining secure online environments. For small business owners managing WordPress sites, staying informed about updates and quickly applying them is vital to safeguard digital assets. Proactively managing website security can prevent significant disruptions and protect both your data and your reputation.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.