CVE-2023-6008: CSRF
First published: Wed Nov 22 2023(Updated: )
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| UserPro | <=5.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-6008?
CVE-2023-6008 is a vulnerability in the UserPro plugin for WordPress that allows unauthenticated attackers to perform Cross-Site Request Forgery attacks.
What is the severity of CVE-2023-6008?
The severity of CVE-2023-6008 is medium with a CVSS score of 6.3.
How does CVE-2023-6008 work?
CVE-2023-6008 occurs due to missing or incorrect nonce validation on multiple functions in the UserPro plugin for WordPress, allowing unauthenticated attackers to add, modify, or delete user meta and plugin options.
How can I fix CVE-2023-6008?
To fix CVE-2023-6008, update the UserPro plugin for WordPress to version 5.1.2 or higher.
Are there any additional resources for CVE-2023-6008?
For more information about CVE-2023-6008, you can refer to the Wordfence threat intelligence page and the CodeCanyon page for the UserPro plugin.
- agent/type
- agent/references
- agent/event
- agent/first-publish-date
- agent/severity
- agent/author
- agent/weakness
- collector/epss-latest
- source/FIRST
- agent/description
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/userproplugin
- canonical/userpro
- version/userpro/5.1.1