CVE-2021-24170

nvd nist nuclei

Published: Apr 5, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Affected (1)

Products: Cozmoslabs: User Profile Picture

1 product

User Profile Picture

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cozmoslabs User Profile Picture	Before 2.5.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc

Source: contact@wpscan.com

ExploitThird Party Advisory

https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/

Source: contact@wpscan.com

Third Party Advisory

https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.