Userpro Security Vulnerabilities and Issues — Userpro CVE List

UserpropluginUserpro

16 matches found

CVE•added 2023/11/22 7:32 a.m.•108 views

CVE-2023-2446

CVE-2023-2446 (WordPress UserPro plugin) affects UserPro up to version 5.1.1. The vulnerability is a sensitive information disclosure via the userpro shortcode caused by insufficient restriction on sensitive user meta values, enabling authenticated attackers with subscriber-level permissions and ...

6.5CVSS5.8AI score0.00294EPSS

CVE•added 2023/11/22 3:33 p.m.•99 views

CVE-2023-2448

CVE-2023-2448 concerns the WordPress UserPro plugin. Affected versions are up to and including 5.1.4, where a missing capability check in the function userpro_shortcode_template allows unauthenticated attackers to perform arbitrary shortcode execution and unauthorized data access. The incident is...

6.5CVSS6.1AI score0.00308EPSS

CVE•added 2023/11/22 3:33 p.m.•94 views

CVE-2023-2440

CVE-2023-2440 (UserPro WordPress Plugin) affects version up to 5.1.1 and is a CSRF vulnerability due to missing nonce validation in admin_page, userpro_verify_user, and verifyUnverifyAllUsers. This allows unauthenticated attackers to modify verified users’ roles, potentially elevating privileges ...

8.8CVSS8.3AI score0.00114EPSS

CVE•added 2023/11/22 3:33 p.m.•89 views

CVE-2023-2497

CVE-2023-2497 affects the UserPro WordPress plugin up to version 5.1.0. It is a Cross-Site Request Forgery (CSRF) vulnerability stemming from missing or incorrect nonce validation on the import_settings function, which, when combined with unserialize() on user-supplied data, can enable unauthenti...

8.8CVSS8.5AI score0.00177EPSS

CVE•added 2023/11/22 3:33 p.m.•86 views

CVE-2023-2449

The CVE-2023-2449 issue concerns the WordPress UserPro plugin. Concrete details from connected sources show that versions up to 5.1.1 are affected by an unauthorized password-reset flaw due to the plugin using plaintext reset keys (userpro_process_form) instead of a hashed value, enabling misuse ...

9.8CVSS6.4AI score0.00598EPSS

CVE•added 2023/11/22 3:33 p.m.•84 views

CVE-2023-2437

CVE-2023-2437 (UserPro WordPress plugin) is confirmed via connected data: WordPress UserPro

9.8CVSS6.3AI score0.75489EPSS

CVE•added 2023/11/22 3:33 p.m.•84 views

CVE-2023-2438

CVE-2023-2438 : A CSRF flaw in the WordPress plugin UserPro (WordPress,

6.1CVSS6.1AI score0.00183EPSS

CVE•added 2023/11/22 3:33 p.m.•82 views

CVE-2023-6007

CVE-2023-6007 affects the WordPress plugin UserPro – Community and User Profile WordPress Plugin . Root cause: a missing capability check on multiple functions in all versions up to 5.1.1, allowing unauthenticated attackers to perform data access and manipulation. Impact (as stated): attackers ca...

7.3CVSS6.5AI score0.00226EPSS

CVE•added 2023/11/22 7:32 a.m.•80 views

CVE-2023-2447

CVE-2023-2447 affects the WordPress UserPro plugin (up to v5.1.1). Root cause: CSRF due to missing/incorrect nonce validation in export_users, allowing unauthenticated export of users to CSV if a site admin is tricked. Mitigation: update to v5.1.2 (patch).

6.1CVSS6.1AI score0.00284EPSS

CVE•added 2023/11/22 3:33 p.m.•77 views

CVE-2023-6008

CVE-2023-6008 is a CSRF vulnerability in the WordPress UserPro plugin (

6.3CVSS4.8AI score0.00065EPSS

CVE•added 2023/11/22 3:33 p.m.•72 views

CVE-2023-6009

CVE-2023-6009 : The WordPress UserPro plugin (versions up to 5.1.4) is vulnerable to privilege escalation due to insufficient restriction of the function userpro_update_user_profile. An authenticated user with minimal permissions (e.g., a subscriber) can modify their own role by supplying the wp_...

8.8CVSS7.5AI score0.00153EPSS

CVE•added 2017/11/09 7:0 p.m.•62 views

CVE-2017-16562

The CVE-2017-16562 entry concerns the WordPress UserPro Plugin prior to version 4.9.17.1. The vulnerability allows remote attackers, when the site uses the default admin username, to bypass authentication and obtain administrative access by sending a true value for the up_auto_log parameter in th...

9.8CVSS9.4AI score0.48165EPSS

CVE•added 2024/06/04 1:40 p.m.•56 views

CVE-2024-35700

CVE-2024-35700 affects the WordPress plugin “UserPro” (DeluxeThemes) up to version 5.1.8. The issue is described as Improper Privilege Management enabling Unauthenticated Account Takeover with privilege escalation. Impact as stated: confidential and integrity/availability impact; CVSS v3.1 base s...

9.8CVSS5.9AI score0.00632EPSS

CVE•added 2024/01/31 2:35 a.m.•49 views

CVE-2023-2439

The CVE-2023-2439 issue affects the WordPress UserPro plugin (version range up to 5.1.5). The root cause is insufficient input sanitization and output escaping on attributes passed to the userpro shortcode, enabling Stored Cross-Site Scripting. The vulnerability requires authentication with contr...

6.4CVSS5AI score0.00082EPSS

CVE•added 2024/02/05 9:22 p.m.•46 views

CVE-2024-0701

CVE-2024-0701 concerns the WordPress UserPro plugin. The vulnerability is described as a Security Feature Bypass caused by relying on client-side restrictions to enforce the Disable Registration setting, enabling unauthenticated attackers to create accounts even when registration is disabled. Dat...

5.3CVSS6.2AI score0.00176EPSS

CVE•added 2018/09/06 11:0 p.m.•38 views

CVE-2018-16285

CVE-2018-16285 affects the WordPress WordPress UserPro premium plugin up to version 4.9.23. The vulnerability is an XSS in the shortcode handling: attacker-supplied content passed to the userpro_shortcode_template action is reflected into wp-admin/admin-ajax.php, enabling cross-site scripting. Im...

6.1CVSS5.9AI score0.01634EPSS

Web