PT-2023-19620 · WordPress · Userpro
István Márton
·
Published
2023-11-22
·
Updated
2023-12-04
·
CVE-2023-2446
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
UserPro plugin for WordPress versions up to and including 5.1.1
Description
The issue allows authenticated attackers with subscriber-level permissions and above to disclose sensitive user information. This is possible due to insufficient restrictions on sensitive user meta values that can be accessed via the 'userpro' shortcode. This could potentially be used to gain access to a high-privileged user account.
Recommendations
For versions up to and including 5.1.1, update to a version that includes the necessary restrictions on sensitive user meta values to prevent disclosure.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Userpro