PT-2026-46220

A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change profile image.php. Executing a manipulation of the argument pr profile image can lead to unrestricted upload. The attack may be launched remotely...

CVE-2026-1271

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pmuploadimage' and 'pmuploadcoverimage' AJAX actions. This is due to the updateusermeta function being called outsi...

CVE-2026-1271

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pmuploadimage' and 'pmuploadcoverimage' AJAX actions. This is due to the updateusermeta function being called outsi...

PT-2026-6034

Name of the Vulnerable Software and Affected Versions ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions through 5.9.7.2 Description The ProfileGrid plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to the update user meta...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the adminorownerrequired function in avatarview.py. An attacker can alter other users' profile images by sending crafted requests while authenticated with standard user privileges...

Catalog Creation or Change Master Image fails when attempting to create ProvVM

Machine Creation Services actions, such as catalog creation, master image change, or adding additional VMs, may error unexpectedly for failure to create image preparation machine. CDF traces may indicate one of the following: "Error: creating virtual machine failed. AzureWriter-1 timed out while...

CVE-2023-2764

The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxsetfeaturedimage function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and...

U.S. Dept Of Defense: idor on upload profile functionality

Vulnerable URL: https://██████████/███████ID/Common/EditOne/Person/accountid steps to reproduce: 1.browse the image and click on the upload button 2.capture this request in burp suite 3. change the value 'personId' parameter to account2 accountid please see screenshot1 4.then goes to account2, th...