PHP Remote File Inclusion Vulnerability in UserPro Private Messages Plugin
CVE-2025-22311

7.5HIGH

Key Information:

Vendor: Notfound
Status: Private Messages For Userpro
Vendor: CVE Published:; 21 January 2025

Summary

A PHP Remote File Inclusion vulnerability exists in the Private Messages for UserPro plugin. It can be exploited through improper control of the filename supplied to include/require statements, potentially allowing unauthorized access to sensitive files and data. This issue affects versions from n/a to 4.10.0, emphasizing the need for users to update their installations promptly to safeguard against possible attacks.

Affected Version(s)

Private Messages for UserPro <= 4.10.0

References

https://patchstack.com/database/wordpress/plugin/userpro-...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2025
Vulnerability Reserved
Jan 3, 2025

Credit

Bonds (Patchstack Alliance)