Description
Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes image-sizes-controller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through <= 1.0.10.
Published: 2025-06-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, identified as a missing authorization flaw, allows attackers to manipulate image size settings within WordPress. By leveraging the plugin’s configuration endpoints, an attacker can create custom image sizes or disable existing ones, potentially compromising the way media is handled on the site. The weakness aligns with CWE‑862, indicating that the plugin fails to enforce proper access control checks.

Affected Systems

The affected software is GrandPlugins’ Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin, specifically any release version up to and including 1.0.10. There is no broader product coverage beyond this plugin, and versions newer than 1.0.10 are not impacted based on the information given.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the moderate range, suggesting that the potential impact is limited to configuration changes rather than full compromise. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation appears to be achievable via the plugin’s administrative interface or exposed API endpoints, and would likely require the ability to authenticate on the WordPress site, though the exact vector is not explicitly stated. Given the moderate severity and low exploit likelihood, the risk is considered moderate but warrants timely mitigation.

Generated by OpenCVE AI on April 30, 2026 at 10:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin to a version newer than 1.0.10 or apply the vendor’s latest patch if available.
  • Restrict access to the plugin’s administration pages to the minimum set of trusted users and enforce strong authentication.
  • If the plugin is not essential to site functionality, consider disabling or uninstalling it entirely to eliminate the risk.

Generated by OpenCVE AI on April 30, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18941 Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through 1.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through 1.0.9. Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes image-sizes-controller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through <= 1.0.10.
Title WordPress Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin <= 1.0.9 - Broken Access Control Vulnerability WordPress Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin <= 1.0.10 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 23 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through 1.0.9.
Title WordPress Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin <= 1.0.9 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:25:09.478Z

Reserved: 2025-06-11T16:07:41.545Z

Link: CVE-2025-49973

cve-icon Vulnrichment

Updated: 2025-06-23T20:54:59.083Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:22.647

Modified: 2026-04-23T15:31:54.030

Link: CVE-2025-49973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:45:26Z

Weaknesses