CVE-2026-24560

Overview

The Cloudinary WordPress plugin (cloudinary-image-management-and-manipulation-in-the-cloud-cdn) contains a missing authorization vulnerability in versions up to and including 3.3.2. This broken access control issue means that certain functions or endpoints do not properly check whether the requesting user has the required permissions.

Exploitation

An attacker with a low-privileged account (e.g., subscriber) can exploit this by sending crafted requests to the affected endpoints, bypassing access controls. No authentication from a higher-privileged user is needed; the flaw exists in the server-side permission checks [1].

Impact

Successful exploitation could allow an attacker to perform actions reserved for higher-privileged users, such as modifying Cloudinary settings, accessing sensitive configuration data, or altering media management functionality. This could compromise the site's media handling and potentially lead to further attacks.

Mitigation

The vendor has addressed this vulnerability in version 3.3.3. Users should update the plugin immediately. If updating is not possible, consult your hosting provider for assistance. This vulnerability is known to be used in mass exploit campaigns [1].