WordPress Kirotech UserPro plugin multiple vulnerabilities, two critical
Take action: If you are using the Kirotech plugin UserPro on WordPress, please update to version 5.1.5 immediately. As of today the vulnerabilities with great detail of examples are publicly available, and sites will be targeted.
Learn More
The Wordfence Threat Intelligence team is publicly reporting multiple vulnerabilities with varying degrees of severity in the WordPress UserPro plugin by Kirotech. The plugin has over 20,000 active installations on WordPress sites.
- Insecure Password Reset Mechanism: CVE-2023-2449, (CVSS Score: 9.8)
- Authentication Bypass to Administrator: CVE-2023-2437, (CVSS Score: 9.8)
- Authenticated (Subscriber+) Privilege Escalation: CVE-2023-6009, (CVSS Score: 8.8)
- Sensitive Information Disclosure via Shortcode: CVE-2023-2446, (CVSS Score: 6.5)
- Missing Authorization to Arbitrary Shortcode Execution: CVE-2023-2448, (CVSS Score: 6.5)
The initial reporting to Kirotech were with the discovery on May 1, and response was received on May 10. Following a complete disclosure of the vulnerabilities, Kirotech released an initial fix on July 27 and a final patch on October 31, 2023.
All users of the plugin are advised to upgrade to the latest patched UserPro version, 5.1.5, immediately.
