CVE-2021-24675

Summary

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack

Affected Software

VendorProductVersion RangeStatus
UnknownOne User AvatarUser Profile Picture2.3.7 < 2.3.7

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References