CVE-2021-24170

CVE-2021-24170: User Profile Picture < 2.5.0 - Sensitive Information Disclosure

Vendor Unknown
Product User Profile Picture
Weakness CWE-200 · Info exposure
Published April 5, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Key dates

02Disclosure timeline

April 5, 2021 CVE published
August 3, 2024 Record updated