cbcvebase.
CVE-2021-24170
published 2021-04-05

CVE-2021-24170: The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.79%
90.8th percentile
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Affected

1 ranges
VendorProductVersion rangeFixed in
cozmoslabsuser_profile_picture< 2.5.02.5.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=rest-nonce
url/index.php?rest_route=/mpp/v2/get_users
path/wp-content/plugins/metronet-profile-picture
  • Exploit requires authentication: attacker must first authenticate via /wp-login.php and obtain a valid wordpress_logged_in_ cookie, then retrieve a REST nonce via admin-ajax.php before calling the vulnerable endpoint.
  • Successful exploitation of the vulnerable REST API endpoint returns a JSON response containing the fields 'ID', 'user_login', and 'user_pass' (password hashes), which can be used as a detection signal.
  • Monitor for POST requests to the REST API path /mpp/v2/get_users (also accessible via rest_route parameter) with a valid X-WP-Nonce header, especially returning HTTP 200 with application/json content-type.
  • Presence of the plugin can be fingerprinted by scanning HTTP response bodies for the string '/wp-content/plugins/metronet-profile-picture'.
  • The vulnerability affects users with the 'upload_files' capability — monitor for REST API calls to the get_users endpoint from lower-privileged WordPress roles (e.g., Author) that should not have access to password hashes.
  • ·Exploitation requires authentication with at least 'upload_files' capability (typically Author role or higher); unauthenticated exploitation is not possible.
  • ·The vulnerable REST API endpoint is only present in User Profile Picture plugin versions before 2.5.0; patched installations will not expose this endpoint with sensitive data.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.