{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24560", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:58.116Z", "datePublished": "2026-01-23T14:28:54.961Z", "dateUpdated": "2026-04-28T16:14:49.311Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cloudinary-image-management-and-manipulation-in-the-cloud-cdn", "product": "Cloudinary", "vendor": "Cloudinary", "versions": [{"lessThanOrEqual": "3.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:56.285Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cloudinary: from n/a through <= 3.3.2.</p>"}], "value": "Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.311Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Cloudinary plugin <= 3.3.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:03:06.240077Z", "id": "CVE-2026-24560", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:24:32.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24560", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:03:06.240077Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:03:03.664Z"}}], "cna": {"title": "WordPress Cloudinary plugin <= 3.3.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Cloudinary", "product": "Cloudinary", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.3.2"}], "packageName": "cloudinary-image-management-and-manipulation-in-the-cloud-cdn", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:56.285Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cloudinary: from n/a through <= 3.3.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.112Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24560", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:24:32.815Z", "dateReserved": "2026-01-23T12:31:58.116Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:54.961Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.2."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Cloudinary: desde n/a hasta &lt;= 3.3.0."}], "id": "CVE-2026-24560", "lastModified": "2026-04-28T15:16:14.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:13.337", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:44:52.065467+00:00", "value": {"mitigation_remediation": ["Update the Cloudinary WordPress plugin to the latest release (>= 3.3.3) to eliminate the missing authorization check.", "If updating is not immediately possible, restrict the plugin\u2019s functionality by adjusting WordPress user roles and permissions so that only administrators can access the Cloudinary settings and media operations.", "Review and tighten the Cloudinary integration settings in WordPress, ensuring that media endpoints are protected and not exposed to unauthenticated users."], "summary": {"action": "Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The affected product is the Cloudinary WordPress plugin, version 3.3.2 or earlier. No specific configurations are enumerated beyond the version constraint; the plugin is listed as Cloudinary:Cloudinary in the CNA data.", "description_and_impact": "The vulnerability arises from a missing authorization check in the Cloudinary WordPress plugin. Because the plugin does not verify a user\u2019s permissions when handling certain requests, an attacker can access or manipulate media that should be restricted. This flaw falls under the CWE-862 \"Missing Authorization\" weakness. The result is that an unauthorized user with access to the WordPress site can potentially view or modify protected content, compromising confidentiality and integrity of media assets.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% points to a very low probability of exploitation at the time of analysis, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. The likely attack path requires access to the WordPress installation\u2019s web interface or the ability to send crafted HTTP requests to the plugin\u2019s endpoints. Because the flaw is a missing authorization check rather than an injection or code execution vector, the impact is largely limited to unauthorized data access rather than system compromise."}}}}, "created": "2026-01-26T11:53:16.823686+00:00", "updated": "2026-04-16T01:45:20.660287+00:00", "vendors": ["cloudinary", "cloudinary$PRODUCT$cloudinary", "wordpress", "wordpress$PRODUCT$wordpress"]}