cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-0701,https://securityvulnerability.io/vulnerability/CVE-2024-0701,Unauthenticated Attackers Can Register Accounts Despite Disabled Registration Feature,"The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. This makes it possible for unauthenticated attackers to register an account even when account registration has been disabled by an administrator.",Wordpress,Userpro - Community And User Profile WordPress Plugin,5.3,MEDIUM,0.0007699999841861427,false,,false,false,false,,false,false,2024-02-05T21:22:04.676Z,0
CVE-2023-2439,https://securityvulnerability.io/vulnerability/CVE-2023-2439,Stored Cross-Site Scripting Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin for WordPress exhibits vulnerabilities due to inadequate sanitization of user-supplied attributes within the 'userpro' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject malicious web scripts into WordPress pages. Such script injections can result in arbitrary code execution when other users access the affected pages, potentially compromising sensitive information and web application integrity.",Wordpress,UserPro - Community and User Profile WordPress Plugin,5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2024-01-31T02:35:10.486Z,0
CVE-2023-2437,https://securityvulnerability.io/vulnerability/CVE-2023-2437,Authentication Bypass Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin for WordPress is affected by an authentication bypass vulnerability due to inadequate user verification during Facebook logins. Attackers can exploit this flaw to gain unauthorized access, impersonating any existing user, including administrators, if they possess the user's email. The exploitation can be further enhanced by leveraging other vulnerabilities to obtain the email address required for this unauthorized login, putting user data and site security at significant risk.",Wordpress,UserPro - Community and User Profile WordPress Plugin,8.1,HIGH,0.01779000088572502,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-2438,https://securityvulnerability.io/vulnerability/CVE-2023-2438,Cross-Site Request Forgery Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin for WordPress has a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the 'userpro_save_userdata' function. This vulnerability allows unauthenticated attackers to potentially alter user meta and inject harmful JavaScript by tricking a site administrator into executing a malicious action, such as clicking a link. This can lead to unauthorized access and exploitation of user data, posing serious security risks to WordPress sites running vulnerable versions.",Wordpress,UserPro - Community and User Profile WordPress Plugin,6.1,MEDIUM,0.0005099999834783375,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-2440,https://securityvulnerability.io/vulnerability/CVE-2023-2440,Cross-Site Request Forgery in UserPro Plugin for WordPress,"The UserPro plugin for WordPress has a Cross-Site Request Forgery vulnerability, allowing unauthenticated attackers to exploit missing nonce validation in critical functions. Attackers can elevate the user privileges of verified users by tricking site administrators into executing malicious requests. This vulnerability exists in versions of the plugin up to and including 5.1.1, creating risks for user role modifications and potential unauthorized access.",Wordpress,Userpro - Community And User Profile WordPress Plugin,8.8,HIGH,0.0007999999797903001,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-6007,https://securityvulnerability.io/vulnerability/CVE-2023-6007,Unauthorized Access and Data Manipulation in UserPro Plugin for WordPress,"The UserPro plugin for WordPress allows unauthorized users to gain access to sensitive data and modify or delete user metadata due to a missing capability check in multiple functions. This vulnerability affects all versions up to and including 5.1.1, enabling unauthenticated attackers to exploit the system and manipulate user profiles, which can lead to significant data integrity issues.",Wordpress,UserPro - Community and User Profile WordPress Plugin,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-2448,https://securityvulnerability.io/vulnerability/CVE-2023-2448,Unauthorized Access Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin for WordPress has a flaw due to a missing capability check on the 'userpro_shortcode_template' function. This vulnerability allows unauthorized users to execute arbitrary shortcodes, potentially leading to unauthorized access to sensitive data. Attackers can exploit this weakness without authentication, compromising user data security. It is crucial for site owners to update to the latest version and implement necessary security measures to defend against this type of attack.",Wordpress,UserPro - Community and User Profile WordPress Plugin,5.3,MEDIUM,0.0023499999660998583,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-2449,https://securityvulnerability.io/vulnerability/CVE-2023-2449,Unauthorized Password Reset Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin for WordPress has a serious vulnerability that allows unauthorized password resets due to flawed password reset functionality. This issue arises from insufficient validation in the password reset process, utilizing plaintext values instead of securely hashed values. As a result, attackers can exploit this flaw by leveraging other vulnerabilities like those found in CVE-2023-2448 or CVE-2023-2446, or even through SQL Injection attacks in other plugins or themes present on the same site. Website administrators are advised to update to patched versions and enhance their security measures to mitigate this risk.",Wordpress,UserPro - Community and User Profile WordPress Plugin,9.8,CRITICAL,0.006819999776780605,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-6008,https://securityvulnerability.io/vulnerability/CVE-2023-6008,Cross-Site Request Forgery Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin on WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation across various functions. This flaw enables unauthenticated attackers to manipulate user metadata and alter plugin configurations, potentially leading to unauthorized actions being executed on behalf of legitimate users. Users are urged to update to the latest version to mitigate this risk.",Wordpress,UserPro - Community and User Profile WordPress Plugin,4.3,MEDIUM,0.0005099999834783375,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-2497,https://securityvulnerability.io/vulnerability/CVE-2023-2497,Cross-Site Request Forgery in UserPro Plugin for WordPress,"The UserPro plugin for WordPress, up to version 5.1.0, is susceptible to a Cross-Site Request Forgery attack due to inadequate nonce validation in its 'import_settings' function. This vulnerability allows unauthenticated attackers to manipulate PHP Object Injection by exploiting the unserialize() function on user-supplied parameters. By tricking a site administrator into clicking a malicious link, an attacker can issue unauthorized requests, potentially compromising user data and site integrity.",Wordpress,UserPro - Community and User Profile WordPress Plugin,8.8,HIGH,0.0007999999797903001,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-6009,https://securityvulnerability.io/vulnerability/CVE-2023-6009,Privilege Escalation Vulnerability in UserPro Plugin by WordPress,"The UserPro plugin for WordPress allows authenticated users with minimal permissions to escalate their privileges. This vulnerability arises from insufficient checks on the 'userpro_update_user_profile' function, enabling attackers to alter their user role by manipulating the 'wp_capabilities' parameter during profile updates. Consequently, users with subscriber-level access can gain unauthorized administrative capabilities, posing a significant security risk to WordPress sites utilizing this plugin.",Wordpress,UserPro - Community and User Profile WordPress Plugin,8.8,HIGH,0.0023399998899549246,false,,false,false,false,,false,false,2023-11-22T16:15:00.000Z,0
CVE-2023-2447,https://securityvulnerability.io/vulnerability/CVE-2023-2447,Cross-Site Request Forgery Vulnerability in UserPro Plugin for WordPress,"The UserPro plugin for WordPress contains a Cross-Site Request Forgery vulnerability that affects versions up to and including 5.1.1. This vulnerability arises from inadequate nonce validation in the 'export_users' function. It allows attackers to exploit this flaw by tricking site administrators into triggering the malicious action, potentially resulting in the unauthorized export of user data to a CSV file. Website administrators should take immediate action to secure their installations against this vulnerability as it poses a risk to user privacy and data integrity.",Wordpress,Userpro - Community And User Profile WordPress Plugin,6.1,MEDIUM,0.0005099999834783375,false,,false,false,false,,false,false,2023-11-22T08:15:00.000Z,0
CVE-2023-2446,https://securityvulnerability.io/vulnerability/CVE-2023-2446,Sensitive Information Disclosure in UserPro WordPress Plugin,"The UserPro plugin for WordPress has a vulnerability that permits authenticated attackers with subscriber-level access to exploit the 'userpro' shortcode, leading to the unintended disclosure of sensitive user meta values. This exposure arises from inadequate restrictions imposed on these values, potentially enabling adversaries to obtain critical user information that could facilitate unauthorized access to higher-privileged accounts. Users should update to the latest version to mitigate potential risks.",Wordpress,UserPro - Community and User Profile WordPress Plugin,6.5,MEDIUM,0.0020099999383091927,false,,false,false,false,,false,false,2023-11-22T08:15:00.000Z,0
CVE-2018-16285,https://securityvulnerability.io/vulnerability/CVE-2018-16285,,The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.,Wordpress,Userpro,6.1,MEDIUM,0.001990000018849969,false,,false,false,false,,false,false,2018-09-06T23:29:00.000Z,0
CVE-2017-16562,https://securityvulnerability.io/vulnerability/CVE-2017-16562,,"The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the ""admin"" username, allows remote attackers to bypass authentication and obtain administrative access via a ""true"" value for the up_auto_log parameter in the QUERY_STRING to the default URI.",Wordpress,Userpro,9.8,CRITICAL,0.3309899866580963,false,,false,false,false,,false,false,2017-11-10T02:29:00.000Z,0