CVE-2024-1090 identifies a missing authorization vulnerability (CWE-862) in the ImageRecycle pdf & image compression plugin for WordPress, present in all versions up to and including 3.1.13. The vulnerability stems from the absence of a capability check in the stopOptimizeAll function, which is responsible for halting all ongoing image optimization processes. Because of this missing check, any authenticated user with subscriber-level privileges or higher can invoke this function to modify image optimization settings without proper authorization. This can lead to unauthorized changes in how images are compressed or optimized on the affected WordPress site. Although the vulnerability does not allow for direct data exfiltration or denial of service, it compromises the integrity of the plugin’s configuration, potentially degrading website performance or image quality. The attack vector requires network access and valid credentials but no user interaction beyond authentication. The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but some impact on integrity. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and enriched by CISA. Given the widespread use of WordPress and this plugin, the vulnerability poses a moderate risk to many websites worldwide.

The primary impact of CVE-2024-1090 is on the integrity of image optimization settings within affected WordPress sites. Unauthorized modification of these settings could lead to suboptimal image compression, affecting website load times, user experience, and potentially increasing bandwidth usage. While this does not directly expose sensitive data or cause service outages, degraded image handling can indirectly affect site reputation and SEO rankings. Attackers with subscriber-level access can exploit this vulnerability to disrupt normal site operations related to media management. Since subscriber-level accounts are common and often granted to registered users or contributors, the attack surface is broader than vulnerabilities requiring administrative privileges. Organizations relying on ImageRecycle for image optimization should be aware that unauthorized users might alter plugin behavior, potentially impacting site performance and user trust.

To mitigate CVE-2024-1090, organizations should implement the following specific measures: 1) Immediately restrict subscriber and other low-privilege user roles from accessing or invoking plugin functions related to image optimization, using role management plugins or custom code to enforce capability checks. 2) Monitor and audit user actions related to the ImageRecycle plugin, especially changes to optimization settings, to detect unauthorized modifications promptly. 3) Limit plugin management access strictly to trusted roles such as administrators or editors. 4) Apply principle of least privilege to all user accounts, ensuring subscribers cannot escalate privileges or access sensitive plugin functions. 5) Stay alert for official patches or updates from the ImageRecycle vendor and apply them as soon as they become available. 6) Consider temporarily disabling the plugin if unauthorized changes are detected and no patch is available. 7) Use web application firewalls (WAFs) to monitor and potentially block suspicious requests targeting the stopOptimizeAll function. These targeted mitigations go beyond generic advice by focusing on access control enforcement and monitoring specific to this vulnerability.