Hardcoded API Key Found in Source Code of Orbit Fox by ThemeIsle

[TimoMangCut]

Description

During a security review of the WordPress plugin Orbit Fox by ThemeIsle version 2.10.45 run in Wordpress version 6.7.2. I discovered that an API key is hardcoded in the source code. This key provides unauthorized access to private photos stored on the API service :
File : themeisle-companion\obfx_modules\mystock-import\init.php
Line : 23
API KEY : "97d007cf8f44203a2e578841a2c0f9ac"

Step-by-step reproduction instructions

Download Orbit Fox by ThemeIsle version 2.10.45.
Inspect the file themeisle-companion\obfx_modules\mystock-import\init.php and locate the hardcoded API key.
Use the API key to send a request to https://api.flickr.com/services/rest/?method=flickr.photos.getRecent&api_key=___APIKEY___&page=4&format=json&nojsoncallback=1&extras=url_w
The response includes image data, including private images, which should not be publicly accessible.

Screenshots, screen recording, code snippet or Help Scout ticket

Environment info

No response

Is the issue you are reporting a regression

No

[selul]

Thank you for your report. However, this API key is intended for public use and is associated with an isolated account created specifically for the public collection. It does not grant access to private images or sensitive data.