CVE-2024-13707

Name of the Vulnerable Software and Affected Versions WP Image Uploader plugin for WordPress versions up to, and including, 1.0.1

Description The issue is related to Cross-Site Request Forgery, which is possible due to missing or incorrect nonce validation in the gky image uploader main function() function. This allows unauthenticated attackers to delete arbitrary files via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For WP Image Uploader plugin for WordPress versions up to, and including, 1.0.1: Update to a version higher than 1.0.1 to resolve the issue. As a temporary workaround, consider disabling the gky image uploader main function() function until a patch is available. Ensure proper nonce validation is implemented to prevent Cross-Site Request Forgery attacks.