Back to KEVs

CVE-2021-24170

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

Basic Information

CVE State
PUBLISHED
Reserved Date
January 14, 2021
Published Date
April 05, 2021
Last Updated
August 03, 2024
Vendor
Unknown
Product
User Profile Picture
Description
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.
Tags
wordpress

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Score

Score
0.55% (Percentile: 66.82%) as of 2025-05-12

Exploit Status

Exploited in the Wild
Yes (2021-03-03 06:33:07 UTC) Source

References

https://wpscan.com/vulnerability/29fc5b0e-0a5f-4484-a1e6-a0a1206726cc https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/

Known Exploited Vulnerability Information

Source Added Date
Wordfence 2021-03-03 06:33:07 UTC

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public