Stored Cross-Site Scripting Vulnerability in UserPro Plugin for WordPress
CVE-2023-2439

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: UserPro - Community and User Profile WordPress Plugin
Vendor: CVE Published:; 31 January 2024

Summary

The UserPro plugin for WordPress exhibits vulnerabilities due to inadequate sanitization of user-supplied attributes within the 'userpro' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject malicious web scripts into WordPress pages. Such script injections can result in arbitrary code execution when other users access the affected pages, potentially compromising sensitive information and web application integrity.

Affected Version(s)

UserPro - Community and User Profile WordPress Plugin 5.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/userpro-user-profiles-with-so...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 31, 2024
Vulnerability Reserved
May 1, 2023

Credit

István Márton