WordPress UserPro premium plugin <= 4.9.23 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Yonatan Correa in WordPress UserPro premium plugin versions = 4.9.23. Solution Update the WordPress UserPro premium plugin to the latest available version at least 4.9.24...

CVE-2018-16285

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userproshortcodetemplate action to wp-admin/admin-ajax.php...

CVE-2018-16285

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userproshortcodetemplate action to wp-admin/admin-ajax.php...

Design/Logic Flaw

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userproshortcodetemplate action to wp-admin/admin-ajax.php...

CVE-2018-16285

CVE-2018-16285 affects the WordPress WordPress UserPro premium plugin up to version 4.9.23. The vulnerability is an XSS in the shortcode handling: attacker-supplied content passed to the userpro_shortcode_template action is reflected into wp-admin/admin-ajax.php, enabling cross-site scripting. Im...

CVE-2018-16285

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userproshortcodetemplate action to wp-admin/admin-ajax.php...

UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)

An XSS vulnerability that affects from version 2.13 to 4.9.23. POST /wp-admin/admin-ajax.php Host: domain.com action=userproshortcodetemplate&shortcode=userpro id=1 layout="float" collageperpage="20" emdpaginatetop="1" emdpaginate="1" emdgender="Gender,radi...

UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)

An XSS vulnerability that affects from version 2.13 to 4.9.23. PoC POST /wp-admin/admin-ajax.php Host: domain.com action=userproshortcodetemplate=userpro id=1 layout="float" collageperpage="20" emdpaginatetop="1" emdpaginate="1" emdgender="Gender,radi...

UserPro Plugin for WordPress up_auto_log Parameter Remote Authentication Bypass

The UserPro Plugin for WordPress running on the remote web server is prior to version 4.9.17.1 It is, therefore, affected by a remote authentication bypass vulnerability. A remote, unauthenticated attacker can exploit this vulnerability, via a specially crafted request, to login as an...

UserPro <= 4.9.20 - User Registration With Administrator Role

According to the changelog: Version 4.9.21 13 Mar 2018 ============================ - Security Fix : Registration role validation fix...

WordPress UserPro Plugin < 4.9.17.1 Authentication Bypass Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description scriptoid"1.3.6.1.4.1.25623.1.0.113055";...

WordPress Userpro Plugin Authentication Bypass (CVE-2017-16562)

An authentication bypass vulnerability exists in WordPress Userpro Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system...

CVE-2017-16562

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the upautolog parameter in the QUERYSTRING to the default URI...

CVE-2017-16562

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the upautolog parameter in the QUERYSTRING to the default URI...

Immunity Canvas: WPUSERPRO_RCE

Name| wpuserprorce ---|--- CVE| CVE-2017-16562 Exploit Pack| CANVAS Description| Wordpress Remote Command Execution Through UserPro Plugin login bypass Notes| References: https://www.exploit-db.com/exploits/43117/ Repeatability: Infinite VENDOR: UserPro Plugin CVE Url:...

Authentication flaw

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the upautolog parameter in the QUERYSTRING to the default URI...

CVE-2017-16562

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the upautolog parameter in the QUERYSTRING to the default URI...

WordPress UserPro Plugin Authentication Bypass Vulnerability

WordPress is a blogging platform developed by the WordPress Software Foundation using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.UserPro plugin for WordPress is a plugin for creating social platform sites using WordPress. The plugin has...

UserPro <= 4.9.17 - Authentication Bypass

The userpro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. PoC 1 - Google Dork inurl:/plugins/userpro 2 - Browse to a site that has the userpro plugin installed. 3 - Append ?upautolog=true to t...

UserPro <= 4.9.17 - Authentication Bypass

The userpro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. 1 - Google Dork inurl:/plugins/userpro 2 - Browse to a site that has the userpro plugin installed. 3 - Append ?upautolog=true to the...