Skip to main content

User Profile Picture CVE-2026-61971

| EUVDEUVD-2026-43440 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-13 Patchstack
2.7
CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
2.7 LOW

PR:H reflects required high-privilege WordPress account; I:L captures limited profile-picture-only integrity modification with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:15 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege WordPress account
Delivery
Enumerate target user ID via REST API or author pages
Exploit
Craft request substituting victim user ID
Execution
Submit to plugin profile picture update endpoint
Persist
Bypass per-object authorization check
Impact
Overwrite victim's profile picture

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privilege WordPress account (PR:H per CVSS vector), meaning a role such as administrator or editor that is authorized to use the User Profile Picture plugin's update functionality. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A high-privileged WordPress user (such as an editor or administrator) identifies the numeric user ID of a target account through publicly available author archives or the WordPress REST API user endpoint. The attacker then submits a crafted POST request to the plugin's profile picture update handler, substituting the target user's ID in place of their own, causing the plugin to overwrite the victim's profile image with attacker-chosen content. …
Remediation The primary remediation is to update the User Profile Picture plugin to a version beyond 2.6.3 once the vendor releases a patched build; no specific fixed version number is confirmed in the available intelligence data (patch available per vendor/Patchstack advisory - exact version not independently confirmed). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy