Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8.
The vulnerability results from incorrect privilege assignment (CWE-266) in the UserPro plugin logic. An attacker without any credentials can exploit an error in the permission management mechanism to gain unauthorized access to other users' accounts, including potentially administrative accounts. The vulnerability is remotely accessible over the network without requiring user interaction on the victim's side.
An attacker can take control of any user account on the WordPress site, which in practice means full access to site resources, ability to modify content, and further privilege escalation up to administrator level.
The UserPro plugin must be immediately updated to a version higher than 5.1.8. Details regarding available patches should be verified according to information published by the vendor and the Patchstack database.
WordPress UserPro plugin (DeluxeThemes) in versions from n/a to 5.1.8 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUserproplugin Userpro
APPUserproplugin< 5.1.9
Related vulnerabilities
Nieautoryzowany reset hasła w pluginie UserPro dla WordPress
Pominięcie uwierzytelnienia w pluginie UserPro dla WordPress (logowanie Facebook)
The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote...
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,...