Unauthorized Access Vulnerability in UserPro Plugin for WordPress
CVE-2023-2448

5.3MEDIUM

Key Information:

Vendor
Wordpress
Status
UserPro - Community and User Profile WordPress Plugin
Vendor
CVE Published:
22 November 2023

Summary

The UserPro plugin for WordPress has a flaw due to a missing capability check on the 'userpro_shortcode_template' function. This vulnerability allows unauthorized users to execute arbitrary shortcodes, potentially leading to unauthorized access to sensitive data. Attackers can exploit this weakness without authentication, compromising user data security. It is crucial for site owners to update to the latest version and implement necessary security measures to defend against this type of attack.

Affected Version(s)

UserPro - Community and User Profile WordPress Plugin * <= 5.1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://codecanyon.net/item/userpro-user-profiles-with-so...
http://packetstormsecurity.com/files/175871/WordPress-Use...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.