Unauthorized Access and Data Manipulation in UserPro Plugin for WordPress
CVE-2023-6007

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: UserPro - Community and User Profile WordPress Plugin
Vendor: CVE Published:; 22 November 2023

Summary

The UserPro plugin for WordPress allows unauthorized users to gain access to sensitive data and modify or delete user metadata due to a missing capability check in multiple functions. This vulnerability affects all versions up to and including 5.1.1, enabling unauthenticated attackers to exploit the system and manipulate user profiles, which can lead to significant data integrity issues.

Affected Version(s)

UserPro - Community and User Profile WordPress Plugin * <= 5.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/userpro-user-profiles-with-so...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
Nov 8, 2023

Credit

István Márton