Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-18
CVE-2024-9863 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.
PLUGIN
Userpro
CVE-2024-9863
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0701 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. This makes it possible for unauthenticated attackers to register an account even when account registration has been disabled by an administrator.
PLUGIN
Userpro
CVE-2024-0701
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2439 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Userpro
CVE-2023-2439
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6009 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.
PLUGIN
Userpro
CVE-2023-6009
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6007 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
PLUGIN
Userpro
CVE-2023-6007
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6008 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
PLUGIN
Userpro
CVE-2023-6008
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2449 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (userpro_process_form). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-2448 and CVE-2023-2446, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this…
PLUGIN
Userpro
CVE-2023-2449
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2437 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to successfully exploit this vulnerability.
PLUGIN
Userpro
CVE-2023-2437
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2497 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Userpro
CVE-2023-2497
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2440 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for unauthenticated attackers to modify the role of verified users to elevate verified user privileges to that of any user such as 'administrator' via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Userpro
CVE-2023-2440
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2448 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode.
PLUGIN
Userpro
CVE-2023-2448
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2438 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'userpro_save_userdata' function. This makes it possible for unauthenticated attackers to update the user meta and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Userpro
CVE-2023-2438
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2446 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account.
PLUGIN
Userpro
CVE-2023-2446
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2447 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Userpro
CVE-2023-2447
Risk Score