CVE-2026-61971 LOW

CVE-2026-61971: WordPress User Profile Picture plugin <= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability

Vendor Cozmoslabs
Product User Profile Picture
Weakness CWE-639 · IDOR
Published July 13, 2026
Last update July 13, 2026

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.

Explanation of Vulnerability in Simple Terms

02Summary

User Profile Picture versions 2.6.3 and earlier contain an authorization flaw that allows high-privileged users to modify data they should not have access to. The vulnerability requires administrator-level access and does not affect confidentiality or availability. A patch is available in versions newer than 2.6.3.

What an attacker can do

03Attacker Capabilities

Modify data within the application if they have administrator privileges.

Potential impact on your site

04Site Impact

Administrators with malicious intent or compromised admin accounts can alter application data in unintended ways.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the site.

Key dates

06Disclosure timeline

July 13, 2026 CVE published
July 13, 2026 Record updated

Related vulnerabilities

08Related CVE