The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (userpro_process_form). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-2448 and CVE-2023-2446, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.
The userpro_process_form function handling password reset uses a reset key in plaintext instead of its hashed value. Such a key can be read by an attacker — for example through SQL Injection in another plugin or theme installed on the site, or by exploiting related vulnerabilities CVE-2023-2448 or CVE-2023-2446. After obtaining the key, the attacker can directly invoke the reset function and set a new password for the chosen account. The entire attack requires no authentication, user interaction, or special privileges.
An attacker can take control of any user account — including WordPress administrator accounts — by setting a new password without the owner's knowledge. This results in a complete breach of the site's confidentiality, integrity, and availability.
The UserPro plugin must be updated immediately to a version higher than 5.1.1, according to information available from the vendor and in the references. It is also recommended to review other installed plugins and themes for SQL Injection vulnerabilities that could be used as a secondary attack vector.
UserPro plugin (Userproplugin Userpro) for WordPress in versions up to and including 5.1.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUserproplugin Userpro
APPUserproplugin≤ 5.1.1
Related vulnerabilities
Incorrect Privilege Assignment w wtyczce WordPress UserPro — przejęcie konta bez uwierzytelnienia
Pominięcie uwierzytelnienia w pluginie UserPro dla WordPress (logowanie Facebook)
The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote...
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...