WordPress ProfilePress Plugin <= 4.13.2 is vulnerable to Sensitive Data Exposure
CVE-2023-44150

7.5HIGH

Key Information:

Vendor: WordPress
Status: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Vendor: CVE Published:; 30 November 2023

What is CVE-2023-44150?

The ProfilePress Membership Plugin, which includes features for ecommerce, registration forms, login forms, user profiles, and content restriction, is susceptible to a vulnerability that allows unauthorized actors to gain access to sensitive information. This exposure can occur through debug log files, allowing attackers to retrieve critical personal data from users. The issue is present in versions up to 4.13.2, and it poses substantial risks for any site utilizing this plugin, making it essential for website administrators to ensure they implement necessary security measures and updates.

Affected Version(s)

Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.13.2

References

https://patchstack.com/database/vulnerability/wp-user-ava...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Sep 26, 2023

Credit

Joshua Chan (Patchstack Alliance)