WP User Profile Avatar <= 1.0.6 – Missing Authorization | ww.wp.xz.cn

wp-fred
(@wp-fred-1)

9 months, 3 weeks ago

Hello Support,

I got a message from Wordfence the wp-user-profile-avatar plugin has a potential security problem:

The WP User Profile Avatar plugin for WordPress is vulnerable to
unauthorized access due to a missing capability check on a function in
all versions up to, and including, 1.0.6. This makes it possible for
authenticated attackers, with Subscriber-level access and above, to
perform an unauthorized action.

CVSS 4.3 (Medium)

Source: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-profile-avatar/wp-user-profile-avatar-106-missing-authorization

Will there be an update coming to overcome this security problem?

The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

tonyomc
(@tonyomc)

9 months, 1 week ago

Fred, did you ever get a response to this security issue?

Thread Starter wp-fred
(@wp-fred-1)

9 months, 1 week ago

Tony, No I have no answer yet. I hope they will still respond.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘WP User Profile Avatar <= 1.0.6 – Missing Authorization’ is closed to new replies.

2 replies
2 participants
Last reply from: wp-fred
Last activity: 9 months, 1 week ago
Status: not resolved