ImageRecycle pdf & image compression <= 3.1.14 - Missing Authorization in Several AJAX Actions

Vulnerability

The ImageRecycle pdf & image compression plugin for WordPress (versions up to and including 3.1.14) fails to perform capability checks on several AJAX actions. This allows authenticated users with Subscriber-level access or higher to perform unauthorized modifications, such as updating plugin settings. The missing capability check means that any authenticated user can trigger these AJAX endpoints without proper authorization. [1]

Exploitation

An attacker needs only a valid WordPress account with Subscriber-level access or above. No additional privileges are required. The attacker can send crafted AJAX requests to the vulnerable endpoints, which are accessible to authenticated users. The exact sequence involves identifying the AJAX actions that lack capability checks and then sending requests with the desired parameters to modify plugin settings.

Impact

Successful exploitation allows an attacker to modify plugin settings arbitrarily. This could lead to misconfiguration of the image compression service, potential data exposure, or disruption of service. The attacker gains the ability to change settings that should only be accessible to administrators, thereby compromising the integrity of the plugin's configuration.

Mitigation

The vulnerability is fixed in version 3.1.15 and later. Users should update to the latest version (3.1.18 as of the reference date) immediately. No workarounds are available for unpatched versions. The plugin is actively maintained, and updating is the recommended mitigation. [1]