CVE-2021-24334

Name of the Vulnerable Software and Affected Versions Instant Images – One Click Unsplash Uploads WordPress plugin versions prior to 4.4.0.1

Description The issue is related to the improper validation and sanitization of the unsplash download w and unsplash download h parameter settings in the /wp-admin/upload.php?page=instant-images API endpoint. This leads to a Stored Cross-Site Scripting issue, allowing a remote attacker to perform cross-site scripting attacks. The vulnerability is associated with the lack of protection measures for the web page structure.

Recommendations For Instant Images – One Click Unsplash Uploads WordPress plugin versions prior to 4.4.0.1, update to version 4.4.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/upload.php?page=instant-images API endpoint until the update is applied. Additionally, avoid using the unsplash download w and unsplash download h parameters in the affected endpoint until the issue is resolved.