CVE-2023-6384: 
WordPress vulnerability analysis and mitigation

The WP User Profile Avatar WordPress plugin before version 1.0.1 contains a security vulnerability identified as CVE-2023-6384. The vulnerability was discovered and reported by Dmitrii Ignatyev, and it was publicly disclosed on December 29, 2023. This security issue affects the plugin's authorization mechanism for avatar management functionality (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and has been assigned CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 base score is 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability exists in the avatar management functionality where the plugin fails to implement proper authorization checks (NVD).

When exploited, this vulnerability allows users with author-level privileges to delete and update arbitrary avatars of other users on the WordPress site. This unauthorized access to avatar management functions could lead to potential defacement or manipulation of user profiles (WPScan).

The vulnerability has been fixed in version 1.0.1 of the WP User Profile Avatar plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).