CVE-2024-5856

Name of the Vulnerable Software and Affected Versions: Comment Images Reloaded plugin for WordPress versions up to, and including, 2.2.1

Description: The issue is related to a missing capability check on the cir delete image AJAX action. This allows authenticated attackers with Subscriber-level access and above to delete arbitrary media attachments, resulting in unauthorized loss of data.

Recommendations: For versions up to, and including, 2.2.1, update to a version that includes a fix for the missing capability check on the cir delete image AJAX action. As a temporary workaround, consider restricting access to the cir delete image AJAX action to prevent unauthorized deletion of media attachments.