VYPR

Userpro

by WordPress

CVEs (24)

  • CVE-2023-2437CriNov 22, 2023
    risk 0.70cvss 9.8epss 0.07

    The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers…

  • CVE-2017-16562CriNov 10, 2017
    risk 0.69cvss 9.8epss 0.27

    The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to the default URI.

  • CVE-2024-35700CriJun 4, 2024
    risk 0.64cvss 9.8epss 0.00

    Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8.

  • CVE-2023-2449CriNov 22, 2023
    risk 0.64cvss 9.8epss 0.01

    The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (userpro_process_form). The…

  • CVE-2024-56211HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.00

    Missing Authorization vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.9.

  • CVE-2023-6009HigNov 22, 2023
    risk 0.57cvss 8.8epss 0.01

    The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a…

  • CVE-2023-2497HigNov 22, 2023
    risk 0.57cvss 8.8epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP…

  • CVE-2023-2440HigNov 22, 2023
    risk 0.57cvss 8.8epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for…

  • CVE-2024-56212HigDec 31, 2024
    risk 0.55cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.9.

  • CVE-2024-56214HigDec 31, 2024
    risk 0.54cvss 8.3epss 0.00

    Path Traversal: '.../...//' vulnerability in DeluxeThemes Userpro userpro allows Path Traversal.This issue affects Userpro: from n/a through <= 5.1.9.

  • CVE-2025-68608HigDec 24, 2025
    risk 0.49cvss 7.5epss 0.00

    Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through <= 5.1.9.

  • CVE-2023-6007HigNov 22, 2023
    risk 0.47cvss 7.3epss 0.00

    The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add,…

  • CVE-2024-56210HigDec 31, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DeluxeThemes Userpro userpro allows Reflected XSS.This issue affects Userpro: from n/a through <= 5.1.9.

  • CVE-2023-2448MedNov 22, 2023
    risk 0.42cvss 6.5epss 0.01

    The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode…

  • CVE-2023-2446MedNov 22, 2023
    risk 0.42cvss 6.5epss 0.01

    The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it…

  • CVE-2023-6008MedNov 22, 2023
    risk 0.41cvss 6.3epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user…

  • CVE-2023-2438MedNov 22, 2023
    risk 0.40cvss 6.1epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'userpro_save_userdata' function. This makes it possible for unauthenticated attackers to update the…

  • CVE-2023-2447MedNov 22, 2023
    risk 0.40cvss 6.1epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to…

  • CVE-2018-16285MedSep 6, 2018
    risk 0.40cvss 6.1epss 0.01

    The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.

  • CVE-2025-4187MedJun 14, 2025
    risk 0.38cvss 5.9epss 0.01

    The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function. This makes it possible for unauthenticated attackers to read the contents of…

Page 1 of 2