CVE-2024-0869: 
WordPress vulnerability analysis and mitigation

The Instant Images WordPress plugin (versions up to 6.1.0) contains a vulnerability that allows unauthorized arbitrary options updates. The vulnerability exists in the instant-images/license REST API endpoint due to insufficient verification of whether updated options belong to the plugin. This security flaw enables users with author-level permissions or higher to modify arbitrary WordPress options (NVD).

The vulnerability is tracked as CVE-2024-0869 and has received varying severity assessments. The National Vulnerability Database (NVD) rates it as MEDIUM with a CVSS v3.1 base score of 6.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N), while Wordfence assesses it as HIGH with a CVSS score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability specifically affects the license REST API endpoint in the plugin (NVD).

The vulnerability allows authenticated users with author-level permissions or higher to modify arbitrary WordPress options, potentially leading to unauthorized changes in critical site settings. This could result in site misconfiguration or potential security compromises (NVD).

Users are advised to update to version 6.1.1 or later of the Instant Images plugin, which includes security patches that address this vulnerability. The fix was implemented in the plugin's license.php file (WordPress Plugin).