CVE-2021-24473

Published: Aug 2, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).

Affected (1)

Products: Cozmoslabs: User Profile Picture

1 product

User Profile Picture

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cozmoslabs User Profile Picture	Before 2.6.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://wpscan.com/vulnerability/79982ea9-4733-4b1e-a43e-17629c1136de

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/79982ea9-4733-4b1e-a43e-17629c1136de

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.