WordPress Plugin Vulnerabilities

UserPro < 5.1.2 - Missing Authorization via multiple functions

Description

The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

Affects Plugins

Plugin icon
userpro
Fixed in 5.1.2

References

CVE
CVE-2023-6007
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6c4f8798-c0f9-4d05-808e-375864a0ad95

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
aa5ba927-bfa4-447b-8c8f-3f5f685c066d

Timeline

Publicly Published
2023-11-21 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2023-12-27
Title
BuddyBoss Theme < 2.4.61 - Missing Authorization
Published
2025-11-04
Title
CoSchedule < 3.4.1 - Missing Authorization
Published
2024-08-28
Title
Fota WP < 1.4.2 - Missing Authorization via fotawp_install_and_activate_plugins()
Published
2025-04-04
Title
Privyr CRM <= 1.0.2 - Missing Authorization
Published
2025-03-06
Title
EventPrime – Events Calendar, Bookings and Tickets < 4.0.7.4 - Missing Authorization to Authenticated (Subscriber+) Event Attendees Export