CVE-2023-2497: CSRF
First published: Wed Nov 22 2023(Updated: )
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| UserPro | <=5.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of UserPro plugin for WordPress?
The vulnerability ID is CVE-2023-2497.
What is the severity of CVE-2023-2497?
The severity of CVE-2023-2497 is high with a severity score of 8.8.
How does the UserPro plugin for WordPress vulnerability occur?
The vulnerability occurs due to missing or incorrect nonce validation on the 'import_settings' function of the UserPro plugin for WordPress.
How can unauthenticated attackers exploit the UserPro plugin for WordPress vulnerability?
Unauthenticated attackers can exploit the UserPro plugin for WordPress vulnerability to perform PHP Object Injection.
How can I fix the UserPro plugin for WordPress vulnerability?
To fix the UserPro plugin for WordPress vulnerability, update to a version beyond 5.1.0.
- agent/references
- agent/type
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/userproplugin
- canonical/userpro
- version/userpro/5.1.0