HIGH🇬🇧 English

CVE-2023-2440

CVSS 8.8v3.1pub. 2023-11-22upd. 2026-04-08

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for unauthenticated attackers to modify the role of verified users to elevate verified user privileges to that of any user such as 'administrator' via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Userproplugin Userpro

    APP
    Userproplugin
    ≤ 5.1.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2024-35700CRITICAL9.8PL ✓ten sam produkt

Incorrect Privilege Assignment w wtyczce WordPress UserPro — przejęcie konta bez uwierzytelnienia

CVE-2023-2437CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia w pluginie UserPro dla WordPress (logowanie Facebook)

CVE-2023-2449CRITICAL9.8PL ✓ten sam produkt

Nieautoryzowany reset hasła w pluginie UserPro dla WordPress

CVE-2017-16562CRITICAL9.8ten sam produkt

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote...

CVE-2023-2497HIGH8.8ten sam produkt

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...

CVE-2023-2440 — HIGH 8.8 | CVEbaza.pl