Vulnerabilities and security researches forinstant-images instant-images

Jun 07, 2024

CVE, Research URL: CVE-2024-33569
Home page URL: Security reports for Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Application: Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Date: May 17, 2024
Research Description: Improper Privilege Management vulnerability in Darren Cooney Instant Images allows Privilege Escalation.This issue affects Instant Images: from n/a through 6.1.0.
Affected versions: max 6.1.1.
Status: vulnerable

CVE, Research URL: CVE-2021-24334
Home page URL: Security reports for Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Application: Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Date: Jun 01, 2021
Research Description: The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue.
Affected versions: max 4.4.0.1.
Status: vulnerable

CVE, Research URL: CVE-2023-27451
Home page URL: Security reports for Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Application: Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Date: Nov 22, 2023
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Darren Cooney Instant Images plugin <= 5.1.0.2 versions.
Affected versions: max 6.1.1.
Status: vulnerable

CVE, Research URL: CVE-2024-0869
Home page URL: Security reports for Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Application: Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Date: Feb 06, 2024
Research Description: The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.
Affected versions: max 6.1.1.
Status: vulnerable

May 26, 2026

PSC, Research URL: PSC-2026-64662
Home page URL: Security reports for Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Application: Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Date: May 26, 2026
Research Description: Image import plugins bridge WordPress with external media providers, proxy services, remote image URLs, metadata processing, and the local Media Library. That workflow improves publishing speed, but it also expands the attack surface around remote downloads, MIME validation, alt text and caption handling, attribution metadata, and editor integrations. Instant Images version 7.1.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64662, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for remote image import and media-library workflow plugins.
Affected versions: Min 7.1.1, max 7.1.1.
Status: SAFE & CERTIFIED