WordPress Plugin Vulnerabilities

WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

Description

The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar

Proof of Concept

Affects Plugins

Plugin icon
wp-user-profile-avatar
Fixed in 1.0.1

References

CVE
CVE-2023-6384
URL
https://research.cleantalk.org/cve-2023-6384-wp-user-profile-avatar-avatar-deletion-update-via-idor-poc

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
fbdefab4-614b-493b-a9ae-c5aeff8323ef

Timeline

Publicly Published
2023-12-29 (about 2 years ago)
Added
2023-12-29 (about 2 years ago)
Last Updated
2024-01-10 (about 1 year ago)

Other

Published
Title
Published
2025-01-10
Title
RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Post Disclosure
Published
2025-01-14
Title
Piotnet Addons For Elementor < 2.4.33 - Authenticated (Contributor+) Post Disclosure
Published
2023-06-22
Title
WooCommerce Payments < 4.5.1 - Intent Parameter Tampering
Published
2025-08-30
Title
Create by Mediavine <= 1.9.15 - Unauthenticated Insecure Direct Object Reference
Published
2023-07-05
Title
BadgeOS <= 3.7.1.6 - Subscriber+ IDOR