On the 15th February 2021, Wordfence discovered a medium threat security vulnerability in the plugin called User Profile Picture. The WordPress Plugin has been installed on over 60,000 sites. The vulnerability if left unpatched makes it possible for authenticated users with the upload_files capability to obtain sensitive user information. The plugin has since released a patch on February 18, 2021. It is highly recommended to ensure the plugin is updated to version 2.5.0 immediately.
Description: Sensitive Information Disclosure
Affected Plugin: User Profile Picture
Plugin Slug: metronet-profile-picture
Affected Versions: <= 2.4.0
CVE ID:CVE-2021-24170
CVSS Score: 6.5 (Medium)
CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 2.5.0
To stop issues like this Hosted WP suggest looking at service like our WordPress Maintenance services to ensure you are always updated and protected from plugin security issues
Full information and the technical information can be found at https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/