CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2497 – UserPro <= 5.1.0 - Cross-Site Request Forgery to PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-2497
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento UserPro para WordPress es vulnerable a la Cross-Site Request Forgery en versiones hasta la 5.1.0 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función 'import_settings'. • https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/fbb601ce-a884-4894-af13-dab14885c7eb?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6007 – UserPro <= 5.1.1 - Missing Authorization via multiple functions
https://notcve.org/view.php?id=CVE-2023-6007
The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. El complemento UserPro para WordPress es vulnerable al acceso no autorizado a datos, modificación de datos, pérdida de datos debido a una falta de verificación de capacidad en múltiples funciones en todas las versiones hasta la 5.1.1 incluida. Esto hace posible que atacantes no autenticados agreguen, modifiquen o eliminen metaopciones y complementos del usuario. • https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/6c4f8798-c0f9-4d05-808e-375864a0ad95?source=cve • CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6008 – UserPro <= 5.1.1 - Cross-Site Request Forgery via multiple functions
https://notcve.org/view.php?id=CVE-2023-6008
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. El complemento UserPro para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 5.1.1 incluida. Esto se debe a una validación nonce faltante o incorrecta en múltiples funciones. • https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6e2b9e-3d70-4c07-a779-45164816b89c?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6009 – UserPro <= 5.1.4 - Authenticated (Subscriber+) Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-6009
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. El complemento UserPro para WordPress es vulnerable a la escalada de privilegios en versiones hasta la 5.1.4 incluida debido a una restricción insuficiente en la función 'userpro_update_user_profile'. Esto hace posible que atacantes autenticados, con permisos mínimos, como un suscriptor, modifiquen su rol de usuario proporcionando el parámetro 'wp_capabilities' durante una actualización de perfil. WordPress UserPro plugin versions 5.1.1 and below suffer from an insecure password reset mechanism, information disclosure, and authentication bypass vulnerabilities. • http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.1EPSS: 45%CPEs: 2EXPL: 2CVE-2019-14470 – UserPro <= 4.9.34 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14470
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter. cosenary Instagram-PHP-API (también se conoce como Instagram PHP API V2), como es usado en el plugin UserPro versiones hasta 4.9.32 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro error_description del archivo example/success.php. WordPress UserPro versions 4.9.32 and below suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/47304 http://packetstormsecurity.com/files/154206/WordPress-UserPro-4.9.32-Cross-Site-Scripting.html https://github.com/cosenary/Instagram-PHP-API/commits/master https://wpvulndb.com/vulnerabilities/9815 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •