User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

EUVD-2024-46819

Malicious code in bioql PyPI...

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

Exploit Title: PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery CSRF Date: 2024-07-01 Exploit Author: Vuln Seeker Cybersecurity Team Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ Version: = 1.0.5 Tested on: Firefox Contact me: [email protected] The...

CVE-2024-6244 pz-frontend-manager < 1.0.6 - CSRF change user profile picture

The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

WordPress PZ Frontend Manager 1.0.5 Cross Site Request Forgery

Exploit Title: pz-frontend-manager = 1.0.5 - CSRF change user profile picture Date: 2024-07-01 Exploit Author: Vuln Seeker Cybersecurity Team Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ Version: = 1.0.5 Tested on: Firefox Contact me: [email protected] The plugin does no...

CVE-2024-5639

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'restapichangeprofileimage' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2024-5639 User Profile Picture <= 2.6.1 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'restapichangeprofileimage' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2024-5639

CVE-2024-5639 : The WordPress User Profile Picture plugin (metronet-profile-picture) suffers an Insecure Direct Object Reference in all versions up to and including 2.6.1 due to missing validation in rest_api_change_profile_image. This allows authenticated attackers with Author-level access or hi...

WordPress plugin User Profile Picture security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPress plugin User...

WordPress User Profile Picture plugin <= 2.6.1 - Authenticated Insecure Direct Object Reference to Profile Picture Update vulnerability

Authenticated Insecure Direct Object Reference to Profile Picture Update vulnerability discovered by JoanClarke2 in WordPress Plugin User Profile Picture versions = 2.6.1...

WordPress User Profile Picture Plugin <= 2.6.1 is vulnerable to Broken Access Control

Software User Profile Picture Type Plugin Vulnerable versions = 2.6.1 Fixed in 2.6.2 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-5639 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID f06c42237928 Credits JoanClarke2 Required...

CVE-2021-24473

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles...

Default credentials

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles...

CVE-2021-24473

The CVE-2021-24473 entry concerns the WordPress plugin User Profile Picture, affected in versions before 2.6.0. The vulnerability is an Insecure Direct Object Reference (IDOR) that allows users with the upload_image capability (default: author and above) to change and delete the profile pictures ...

User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR

The plugin was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles. PoC Use a proxy such as Burp Suite to capture the request made when change your own...

WordPress User Profile Picture Information Disclosure Vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . A security vulnerability exists in the WordPress plugin...

CVE-2021-24170

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

Information disclosure

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

CVE-2021-24170

CVE-2021-24170 affects the WordPress plugin User Profile Picture (versions before 2.5.0). The REST API endpoint get_users exposes password hashes, hashed activation keys, usernames, emails, and other sensitive information to users with the upload_files capability. Root cause: overly verbose respo...

PT-2021-15716

Name of the Vulnerable Software and Affected Versions: User Profile Picture WordPress plugin versions prior to 2.5.0 Description: The issue concerns the REST API endpoint "get users" in the User Profile Picture WordPress plugin, which returned excessive information to users with the upload files...