Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
PR:H reflects required high-privilege WordPress account; I:L captures limited profile-picture-only integrity modification with no confidentiality or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a high-privilege WordPress account (PR:H per CVSS vector), meaning a role such as administrator or editor that is authorized to use the User Profile Picture plugin's update functionality. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A high-privileged WordPress user (such as an editor or administrator) identifies the numeric user ID of a target account through publicly available author archives or the WordPress REST API user endpoint. The attacker then submits a crafted POST request to the plugin's profile picture update handler, substituting the target user's ID in place of their own, causing the plugin to overwrite the victim's profile image with attacker-chosen content. … |
| Remediation | The primary remediation is to update the User Profile Picture plugin to a version beyond 2.6.3 once the vendor releases a patched build; no specific fixed version number is confirmed in the available intelligence data (patch available per vendor/Patchstack advisory - exact version not independently confirmed). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in User Profile Picture
View allThe REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than
The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_ima
The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43440