CVE-2021-24170

Name of the Vulnerable Software and Affected Versions: User Profile Picture WordPress plugin versions prior to 2.5.0

Description: The issue concerns the REST API endpoint "get users" in the User Profile Picture WordPress plugin, which returned excessive information to users with the upload files capability. This included sensitive data such as password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Recommendations: For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "get users" API endpoint to minimize the risk of exploitation. Avoid using the upload files capability for users who do not require it until the issue is resolved.