'; } else{ echo ''; } echo '
|
|
|||
| Rule General Information |
|---|
| Release Date: | 2026-06-16 | |
| Rule Name: | WordPress User Profile Picture Plugin Sensitive Information Disclosure Vulnerability (CVE-2021-24170) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | User Profile Picture WordPress plugin versions prior to 2.5.0 contain an information disclosure vulnerability in the REST API endpoint /wp-json/mpp/v2/get_users that allows authenticated users with upload_files capability to retrieve sensitive user information including password hashes. | |
| Impact: | Authenticated attackers with upload_files capability can retrieve sensitive user information including usernames, email addresses, and password hashes, potentially leading to account takeover through offline password cracking. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://nvd.nist.gov/vuln/detail/CVE-2021-24170 |
|
| Solutions |
|---|
| Please contact the software vendor to update the software patch. |