CRITICAL🇵🇱 Wersja polska

CVE-2023-2437

CVSS 9.8v3.1pub. 2023-11-22upd. 2026-04-08

The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to successfully exploit this vulnerability.

🤖 AI Analysis
How it works

The vulnerability results from insufficient verification of user identity during the Facebook login process performed by the plugin. An attacker can provide the email address of an existing account without needing to possess a password or authentication token. The vulnerability can be chained with CVE-2023-2448 and CVE-2023-2446, which enable obtaining the victim's email address, allowing for full, chained exploitation of this flaw.

Impact

An attacker can take over any account on the WordPress site, including administrator accounts, gaining full control over the website — ability to modify content, install malicious plugins, and access user data.

Mitigation & patch

The UserPro plugin should be updated to a version higher than 5.1.1. Patches available from the vendor should be applied according to the references. Additionally, it is recommended to review access logs to detect any unauthorized logins and to remove or deactivate the plugin until updates are applied.

Who is affected

UserPro (User Profiles with Social Login) plugin for WordPress in versions up to and including 5.1.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Userproplugin Userpro

    APP
    Userproplugin
    ≤ 5.1.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-35700CRITICAL9.8PL ✓ten sam produkt

Incorrect Privilege Assignment w wtyczce WordPress UserPro — przejęcie konta bez uwierzytelnienia

CVE-2023-2449CRITICAL9.8PL ✓ten sam produkt

Nieautoryzowany reset hasła w pluginie UserPro dla WordPress

CVE-2017-16562CRITICAL9.8ten sam produkt

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote...

CVE-2023-2440HIGH8.8ten sam produkt

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...

CVE-2023-2497HIGH8.8ten sam produkt

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...