Cross-Site Request Forgery in UserPro Plugin for WordPress
CVE-2023-2440

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Userpro - Community And User Profile WordPress Plugin
Vendor: CVE Published:; 22 November 2023

Summary

The UserPro plugin for WordPress has a Cross-Site Request Forgery vulnerability, allowing unauthenticated attackers to exploit missing nonce validation in critical functions. Attackers can elevate the user privileges of verified users by tricking site administrators into executing malicious requests. This vulnerability exists in versions of the plugin up to and including 5.1.1, creating risks for user role modifications and potential unauthorized access.

Affected Version(s)

UserPro - Community and User Profile WordPress Plugin * <= 5.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/userpro-user-profiles-with-so...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
May 1, 2023

Credit

István Márton