CVE-2021-24170
published 2021-04-05CVE-2021-24170: The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.79%
90.8th percentile
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cozmoslabs | user_profile_picture | < 2.5.0 | 2.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires authentication: attacker must first authenticate via /wp-login.php and obtain a valid wordpress_logged_in_ cookie, then retrieve a REST nonce via admin-ajax.php before calling the vulnerable endpoint. ↗
- →Successful exploitation of the vulnerable REST API endpoint returns a JSON response containing the fields 'ID', 'user_login', and 'user_pass' (password hashes), which can be used as a detection signal. ↗
- →Monitor for POST requests to the REST API path /mpp/v2/get_users (also accessible via rest_route parameter) with a valid X-WP-Nonce header, especially returning HTTP 200 with application/json content-type. ↗
- →Presence of the plugin can be fingerprinted by scanning HTTP response bodies for the string '/wp-content/plugins/metronet-profile-picture'. ↗
- →The vulnerability affects users with the 'upload_files' capability — monitor for REST API calls to the get_users endpoint from lower-privileged WordPress roles (e.g., Author) that should not have access to password hashes. ↗
- ·Exploitation requires authentication with at least 'upload_files' capability (typically Author role or higher); unauthenticated exploitation is not possible. ↗
- ·The vulnerable REST API endpoint is only present in User Profile Picture plugin versions before 2.5.0; patched installations will not expose this endpoint with sensitive data. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgpr-gv7f-4cf5: The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2
ghsa_unreviewed·2022-05-24
CVE-2021-24170 [HIGH] CWE-200 GHSA-rgpr-gv7f-4cf5: The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.
VulnCheck
cozmoslabs user_profile_picture Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2021·CVSS 7.5
CVE-2021-24170 [HIGH] cozmoslabs user_profile_picture Exposure of Sensitive Information to an Unauthorized Actor
cozmoslabs user_profile_picture Exposure of Sensitive Information to an Unauthorized Actor
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.
Affected: cozmoslabs user_profile_picture
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/users-profile-picture/user-profile-picture-240-sensitive-information-disclosure
No detection rules found.
Nuclei
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
nuclei·CVSS 7.5
CVE-2021-24170 [HIGH] User Profile Picture < 2.5.0 - Sensitive Information Disclosure
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.
Template:
id: CVE-2021-24170
info:
name: User Profile Picture < 2.5.0 - Sensitive Information Disclosure
author: s4e-io
severity: high
description: |
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernam
https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cchttps://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cchttps://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/
2021-04-05
Published
Exploited in the wild