CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-35700

CVSS 9.8v3.1pub. 2024-06-04upd. 2026-04-23

Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8.

🤖 AI Analysis
How it works

The vulnerability results from incorrect privilege assignment (CWE-266) in the UserPro plugin logic. An attacker without any credentials can exploit an error in the permission management mechanism to gain unauthorized access to other users' accounts, including potentially administrative accounts. The vulnerability is remotely accessible over the network without requiring user interaction on the victim's side.

Impact

An attacker can take control of any user account on the WordPress site, which in practice means full access to site resources, ability to modify content, and further privilege escalation up to administrator level.

Mitigation & patch

The UserPro plugin must be immediately updated to a version higher than 5.1.8. Details regarding available patches should be verified according to information published by the vendor and the Patchstack database.

Who is affected

WordPress UserPro plugin (DeluxeThemes) in versions from n/a to 5.1.8 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Userproplugin Userpro

    APP
    Userproplugin
    < 5.1.9
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2023-2449CRITICAL9.8PL ✓ten sam produkt

Nieautoryzowany reset hasła w pluginie UserPro dla WordPress

CVE-2023-2437CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia w pluginie UserPro dla WordPress (logowanie Facebook)

CVE-2017-16562CRITICAL9.8ten sam produkt

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote...

CVE-2023-2440HIGH8.8ten sam produkt

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...

CVE-2023-2497HIGH8.8ten sam produkt

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...