Automattic: Remove anyone's pic gravtar

2015-11-23T16:18:29
ID H1:101145
Type hackerone
Reporter akshyy
Modified 2016-06-05T05:42:50

Description

Hi,

There is no csrf token while removing image

Attacker can Delete Victim's Gravtar Image Just by sending Link

Poc: https://en.gravatar.com/emails/remove-userimage/you_email_image_id here

Thanks :)