Security Vulnerability Report: Broken Access Control (CVE-2026-24560) #1134
Description
Security Vulnerability Report: Broken Access Control (CVE-2026-24560)
Summary
A Broken Access Control vulnerability has been identified in the Cloudinary WordPress Plugin affecting all versions up to and including 3.3.0. This vulnerability was publicly disclosed by Patchstack on January 22, 2026, and currently has no official fix available.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-24560 |
| Vulnerability Type | Broken Access Control (Missing Authorization) |
| CVSS Score | 5.4 (Medium) |
| OWASP Classification | A1: Broken Access Control |
| Affected Versions | <= 3.3.0 |
| Required Privilege | Subscriber (Authenticated User) |
| Patchstack ID | 95495bd6f5d6 |
Description
A broken access control vulnerability exists due to a missing authorization, authentication, or nonce token check in a function. This flaw could allow a low-privileged authenticated user (Subscriber role or higher) to execute actions that should be restricted to higher-privileged users.
Impact
Users with Subscriber-level access could potentially:
- Access functionality intended for Administrators or Editors
- Perform unauthorized operations within the plugin
- Bypass intended access restrictions
Timeline
| Date | Event |
|---|---|
| December 23, 2025 | Vulnerability reported to Patchstack by Nabil Irawan |
| January 14, 2026 | Cloudinary releases version 3.3.0 (vulnerability NOT addressed) |
| January 22, 2026 | Patchstack publicly discloses vulnerability |
| January 31, 2026 | No fix available; GitHub issue not created by vendor |
References
- Patchstack Advisory: https://patchstack.com/database/wordpress/plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability
- WordPress Plugin Page: https://wordpress.org/plugins/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/
- Security Researcher: Nabil Irawan (Patchstack Profile)
Recommended Actions
For Cloudinary Development Team:
- Immediate: Investigate the reported vulnerability and identify the affected function(s)
- Priority: Implement proper authorization checks (capability checks, nonce verification)
- Release: Publish a security patch as version 3.3.1 or higher
- Communication: Update users about the security fix in release notes and changelog
For Users (Temporary Mitigation):
- Audit user roles: Ensure only trusted users have Subscriber or higher access
- Monitor activity: Review logs for suspicious plugin-related activity
- Consider disabling: If Subscriber-level users are untrusted, consider temporarily disabling the plugin until patched
- Stay updated: Watch for plugin updates and apply immediately when a fix is released
Request
I kindly request the Cloudinary team to:
- ✅ Acknowledge this security report
- ✅ Provide an estimated timeline for the security patch
- ✅ Release a patched version addressing CVE-2026-24560
- ✅ Coordinate with Patchstack to update the vulnerability status
Severity Assessment
While Patchstack classifies this as "Low priority - No impactful threat", the CVSS score of 5.4 (Medium) indicates this should still be addressed promptly. Broken Access Control consistently ranks as the #1 vulnerability category in the OWASP Top 10.
Original Discovery: Nabil Irawan via Patchstack