CVE-2021-24473: 
WordPress vulnerability analysis and mitigation

The User Profile Picture WordPress plugin before version 2.6.0 contained an Insecure Direct Object Reference (IDOR) vulnerability. This security issue was discovered and publicly disclosed on June 28, 2021, and was assigned CVE-2021-24473. The vulnerability affected the profile picture management functionality in the WordPress plugin metronet-profile-picture (WPScan).

The vulnerability was classified as an IDOR (Insecure Direct Object Reference) issue, identified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The issue allowed users with the uploadimage capability to manipulate the userid parameter in HTTP POST requests to the admin-ajax.php endpoint (NVD, WPScan).

The vulnerability allowed users with the upload_image capability (by default author role and above) to modify or delete profile pictures of other users, including those with higher privilege levels. This could lead to unauthorized modification of user profile images and potential disruption of the website's user interface (WPScan).

The vulnerability was fixed in version 2.6.0 of the User Profile Picture WordPress plugin. Users should upgrade to this version or later to mitigate the security risk (WPScan).