Skip to main content

User Profile Picture

4 CVEs product

Monthly

CVE-2026-61971 LOW Monitor

Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, consistent with its low CVSS score of 2.7.

Authentication Bypass User Profile Picture
NVD
CVSS 3.1
2.7
EPSS
0.3%
CVE-2024-5639 MEDIUM PATCH This Month

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

WordPress Authentication Bypass User Profile Picture
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2021-24473 MEDIUM POC This Month

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass User Profile Picture
NVD WPScan
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-24170 HIGH POC This Week

The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure User Profile Picture
NVD WPScan
CVSS 3.1
7.5
EPSS
4.8%
EPSS 0% CVSS 2.7
LOW Monitor

Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, consistent with its low CVSS score of 2.7.

Authentication Bypass User Profile Picture
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

WordPress Authentication Bypass User Profile Picture
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass User Profile Picture
NVD WPScan
EPSS 5% CVSS 7.5
HIGH POC This Week

The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure User Profile Picture
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy