User Profile Picture < 2.6.2 – Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update | CVE 2024-5639 | Plugin Vulnerabilities

Description

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.

Affects Plugins

metronet-profile-picture

Fixed in 2.6.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/01a3b9ba-b18a-48d9-8365-d10f79fc6a6b

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

JoanClarke2

Verified

No

WPVDB ID

9451beff-e348-4d32-8855-434c442a91ea

Timeline

Publicly Published

2024-06-20 (about 1 year ago)

Added

2024-06-20 (about 1 year ago)

Last Updated

2024-06-21 (about 1 year ago)

Other

Published

Title

Published

2023-12-27

Title

WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR

Published

2024-11-27

Title

Royal Elementor Addons and Templates < 1.7.1004 - Authenticated (Contributor+) Post Disclosure

Published

2026-02-13

Title

SureForms < 2.2.2 - Unauthenticated Stripe Payment Amount Manipulation

Published

2026-03-23

Title

LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-11-20

Title

If-So Dynamic Content Personalization < 1.9.2.2 - Authenticated (Contributor+) Post Disclosure