CVE-2025-3855 PoC — CodeCanyon RISE Ultimate Project Manager Profile Picture save_profile_image resource injection

Source

https://github.com/L4zyFox/RISE-Ultimate_Project_Manager_e_CRM

Associated Vulnerability

Title:CodeCanyon RISE Ultimate Project Manager Profile Picture save_profile_image resource injection (CVE-2025-3855)
Description:A vulnerability was found in CodeCanyon RISE Ultimate Project Manager 3.8.2 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php/team_members/save_profile_image/ of the component Profile Picture Handler. The manipulation of the argument profile_image_file leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Description

CVE-2025-3855 - RISE Ultimate Project Manager - IDOR

Readme

# CVE-2025-3855 - RISE Ultimate Project Manager - IDOR

Security vulnerability: IDOR (Insecure Direct Object Reference)<br>
Affected Component: profile image upload endpoint, team_members controller<br>
Software: RISE - Ultimate Project Manager & CRM <br>
Vendor: codecanyon<br>
Version: 3.8.2<br>

CVE ORG : https://www.cve.org/CVERecord?id=CVE-2025-3855 <br>
NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-3855 <br>
CVE DETAILS: https://www.cvedetails.com/cve/CVE-2025-3855 <br>

Describe the bug/issue:

A vulnerability was discovered in RISE - Ultimate Project Manager & CRM that allows an authenticated user to change the profile picture of any other user by exploiting an Insecure Direct Object Reference (IDOR) in the /index.php/team_members/save_profile_image/[user_id] endpoint. The application does not properly validate whether the authenticated user is authorized to update the specified user ID’s profile image, allowing unauthorized modification of user data. This flaw impacts data integrity and may lead to impersonation or disruption of user experience.

To Reproduce:


🧑‍💼 1. Authenticated Access to Profile Settings

An authenticated user navigates to the "My Profile" section of the application, where they are provided with an option to upload or update their profile image.

<img src="https://github.com/L4zyFox/RISE-Ultimate_Project_Manager_e_CRM/blob/main/01-upload.png">

📤 2. Interception of the Upload Request

Upon uploading a profile image, the request can be intercepted using a proxy tool such as Burp Suite. The request is a POST to the following endpoint:

``POST /index.php/team_members/save_profile_image/36``

Here, 36 corresponds to the authenticated user's numeric ID.

<img src="https://github.com/L4zyFox/RISE-Ultimate_Project_Manager_e_CRM/blob/main/02-Interc.png">

🔁 3. Exploiting the IDOR via User ID Manipulation

By changing the ID in the URL path to that of another valid user, for example:

``POST /index.php/team_members/save_profile_image/44``

The application processes the request and updates the profile picture of user ID 44, without performing any access control checks.

<img src="https://github.com/L4zyFox/RISE-Ultimate_Project_Manager_e_CRM/blob/main/03-edited-Interc.png">

🔐 4. Lack of Authorization Validation

The server-side implementation fails to validate whether the authenticated user is authorized to perform the action on the targeted user ID. As a result, any authenticated user can change the profile images of other users, impacting the integrity of user data and potentially leading to impersonation or user confusion.

File Snapshot


 [4.0K]  /data/pocs/91ff8e006dfc0fcdff03116bd25a7b7712d6849e
├── [ 58K]  01-upload.png
├── [ 58K]  02-Interc.png
├── [ 80K]  03-edited-Interc.png
└── [2.6K]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!