Security Vulnerability Report – Broken Access Control (Patchstack)

Resolved komalgondhali
(@komalgondhali)

3 months ago
Hi Support Team,

I’d like to report a security concern regarding the Cloudinary plugin.

Patchstack has published a notice about a Broken Access Control vulnerability discovered by Nabil Irawan, affecting Cloudinary plugin versions 3.3.1 and earlier.

Vulnerability Details:
- Type: Broken Access Control
- Discovery Date: January 22, 2026
- Source: Patchstack
- Reference: https://patchstack.com/database/wordpress/plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability
As the latest available version is also reported to be affected, could you please advise if there is any recommended mitigation or temporary workaround we should implement until a patched release is available?

Thank you for your support. I look forward to your response.

Viewing 5 replies - 1 through 5 (of 5 total)

tamaracloudinary
(@tamaracloudinary)

3 months ago
Hi @komalgondhali

This issue was already resolved in the previous released version. Thank you for reporting it
- This reply was modified 3 months ago by tamaracloudinary.
Thread Starter komalgondhali
(@komalgondhali)

3 months ago

Hi @tamaracloudinary,

Thank you for the update and for providing the patched release.

I’ve updated the plugin to the latest version, and the issue is now resolved.

Appreciate the quick response and the effort from you and the development team in addressing this.

Best regards,
Komal Gondhali

Thread Starter komalgondhali
(@komalgondhali)

3 months ago

Hi @tamaracloudinary,

I’m still seeing a vulnerability notice for version 3.3.2 as well.

Reference:
https://patchstack.com/database/wordpress/plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability

Could you kindly clarify whether this is a false positive or if an additional update is planned?

Thank you
Komal Gondhali

dejicloudinary
(@dejicloudinary)

2 months, 3 weeks ago

Hi Komal,

The issue mentioned in this request has been fixed on our side. If you discover a security issue with our plugin or service, we invite you to participate in Cloudinary’s bug bounty program which is managed through BugCrowd. You can learn more about the program here: https://bugcrowd.com/engagements/cloudinary

Best Regards,
Deji

Thread Starter komalgondhali
(@komalgondhali)

1 month, 3 weeks ago

Hi @dejicloudinary,

I’m still seeing a vulnerability notice for version 3.3.2.

Reference:
https://patchstack.com/database/wordpress/plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability

Could you kindly clarify whether this is a false positive or if an additional update is planned?

Thank you
Komal Gondhali

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.