Skip to content

UserPro plugin’s critical flaws alarm WordPress users

  • by
  • 3 min read

Multiple high and critical severity vulnerabilities in Kirotech’s UserPro plugin have been discovered, allowing the threat actors to perform privilege escalation, authenticate bypass, cross-site request forgery, insecure password reset, arbitrary shortcode execution, and several other attacks.

Currently, this plugin is installed on over 20,000 websites using Wordpress.

Researchers from Wordfence first identified the vulnerabilities on April 26 and initiated the responsible disclosure process on May 1, 2023. However, communication delays in contacting Kirotech resulted in the vendor acknowledging the flaws on May 10.

Kirotech released patches on July 27, with additional updates on September 28. Finally, a fully patched version was released on October 31, 2023.

Insecure password reset mechanism (CVE-2023-2449)

Complete exploit procedure. | Source: Wordfence

The UserPro plugin, up to version 5.1.1, exhibits an insecure password reset mechanism. This vulnerability arises from insufficient validation in the password reset function, allowing attackers to exploit password reset keys easily.

The issue was addressed in the fully patched version 5.1.2.

Sensitive information disclosure via shortcode (CVE-2023-2446)

UserPro versions below 5.1.1 are also susceptible to sensitive information disclosure through the ‘userpro’ shortcode. The shortcode lacks adequate restriction on sensitive user meta values, enabling authenticated attackers with subscriber-level permissions and above to retrieve sensitive user metadata.

This information could be exploited to gain access to high-privileged user accounts.

Missing authorisation to arbitrary shortcode execution (CVE-2023-2448)

userpro_shortcode_template function. | Source: Wordfence

Up to version 5.1.4, the UserPro plugin lacks proper authorisation checks in the ‘userpro_shortcode_template’ function. This allows unauthenticated attackers to perform arbitrary shortcode execution, potentially facilitating the exploitation of other vulnerabilities.

Version 5.1.5 addresses this issue.

Authentication bypass to administrator

Version 5.1.1 and earlier are vulnerable to authentication bypass during a Facebook login. Inadequate verification of the user-supplied during a Facebook login allows unauthenticated attackers to log in as existing users, including administrators, who know the users’ email addresses.

This critical security concern is resolved in the fully patched version 5.1.5.

Authenticated (subscriber +) privilege escalation

Until version 5.1.4, the ‘userpro_update_user_profile’ function lacks proper restrictions, exposing the plugin to authenticated privilege escalation. Subscribers could manipulate their role by supplying the ‘wp_capabilities’ parameter during a profile update, potentially leading to complete site compromise.

Other vulnerabilities

Researchers also found several other vulnerabilities involving AJAX and POST actions lacking proper capability checks. These vulnerabilities, coupled with the absence of non-verification, permit authenticated attackers with minimal access to invoke actions and forge requests on behalf of administrators.

Several WordPress plugins have been exposed to be vulnerable. In July 2023, the AIOS security plugin was found to have a bug. In June, MiniOrange’s Social Login and Register plugin were found to have flaws. In May, it was reported that the Advanced Custom Fields plugin was vulnerable to cross-site scripting attacks. In April, it was reported that more than one million WordPress websites were affected by the Balada malware.

In the News: Privacy concerns emerge as Chennai upgrades surveillance

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: