CVE-2024-5639
📋 TL;DR
The User Profile Picture WordPress plugin has an Insecure Direct Object Reference vulnerability that allows authenticated attackers with Author-level permissions or higher to change any user's profile picture. This affects all plugin versions up to and including 2.6.1. The vulnerability exists due to insufficient validation of user-controlled parameters in the 'rest_api_change_profile_image' function.
💻 Affected Systems
- User Profile Picture WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could change administrator profile pictures to inappropriate content, potentially damaging reputation or enabling social engineering attacks.
Likely Case
Author-level users changing other users' profile pictures without authorization, causing confusion or minor disruption.
If Mitigated
Limited to profile picture changes only, no data theft or system compromise.
🎯 Exploit Status
Exploitation requires authenticated access with at least Author-level permissions. The vulnerability is in a REST API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3105132/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'User Profile Picture' plugin. 4. Click 'Update Now' if available, or download version 2.6.2+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the User Profile Picture plugin until patched
wp plugin deactivate metronet-profile-picture
Restrict user permissions
allTemporarily reduce Author-level users to lower privilege roles
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to the vulnerable REST endpoint
- Monitor user profile changes and audit logs for unauthorized modifications
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.6.1 or lower, you are vulnerable.Check Version:
wp plugin get metronet-profile-picture --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.6.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple profile picture update requests from same user ID targeting different user IDs
- REST API calls to /wp-json/metronet-profile-picture/v1/change-profile-image with modified user parameters
Network Indicators:
- POST requests to /wp-json/metronet-profile-picture/v1/change-profile-image with unexpected user_id parameters
SIEM Query:
source="wordpress" AND uri_path="/wp-json/metronet-profile-picture/v1/change-profile-image" AND http_method="POST"🔗 References
- https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L1122
- https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L989
- https://plugins.trac.wordpress.org/changeset/3105132/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01a3b9ba-b18a-48d9-8365-d10f79fc6a6b?source=cve
- https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L1122
- https://plugins.trac.wordpress.org/browser/metronet-profile-picture/tags/2.6.1/metronet-profile-picture.php#L989
- https://plugins.trac.wordpress.org/changeset/3105132/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01a3b9ba-b18a-48d9-8365-d10f79fc6a6b?source=cve
