The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-11-22T15:33:37.741Z

Updated: 2024-08-02T08:21:17.115Z

Reserved: 2023-11-08T05:32:13.517Z

Link: CVE-2023-6009

cve-icon Vulnrichment

Updated: 2024-08-02T08:21:17.115Z

cve-icon NVD

Status : Modified

Published: 2023-11-22T16:15:15.643

Modified: 2024-11-21T08:42:58.377

Link: CVE-2023-6009

cve-icon Redhat

No data.