CVE-2021-24334
Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
01 Jun 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue.
Affected products
Unknown · Instant Images – One Click Unsplash Uploads