CVE-2023-6009 - OpenCVE

The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Userproplugin	Userpro

Configuration 1 [-]

cpe:2.3:a:userproplugin:userpro:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-11-22T15:33:37.741Z

Updated: 2024-08-02T08:21:17.115Z

Reserved: 2023-11-08T05:32:13.517Z

Link: CVE-2023-6009

Vulnrichment

Updated: 2024-08-02T08:21:17.115Z

NVD

Status : Analyzed

Published: 2023-11-22T16:15:15.643

Modified: 2023-11-29T18:54:09.383

Link: CVE-2023-6009

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6009", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-11-08T05:32:13.517Z", "datePublished": "2023-11-22T15:33:37.741Z", "dateUpdated": "2024-08-02T08:21:17.115Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-11-22T15:33:37.741Z"}, "affected": [{"vendor": "n/a", "product": "UserPro - Community and User Profile WordPress Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve"}, {"url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681"}, {"url": "http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-266 Incorrect Privilege Assignment"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2023-07-06T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2023-07-06T00:00:00.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2023-11-21T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "userpro_community_and_user_profile_wordpress_plugin", "product": "userpro_community_and_user_profile_wordpress_plugin", "cpes": ["cpe:2.3:a:userpro_community_and_user_profile_wordpress_plugin:userpro_community_and_user_profile_wordpress_plugin:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.4", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2023-11-29T19:52:40.250798Z", "id": "CVE-2023-6009", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T15:50:31.252Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.115Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve", "tags": ["x_transferred"]}, {"url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve", "tags": ["x_transferred"]}, {"url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.115Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6009", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2023-11-29T19:52:40.250798Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:userpro_community_and_user_profile_wordpress_plugin:userpro_community_and_user_profile_wordpress_plugin:*:*:*:*:*:*:*:*"], "vendor": "userpro_community_and_user_profile_wordpress_plugin", "product": "userpro_community_and_user_profile_wordpress_plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T15:50:24.550Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "n/a", "product": "UserPro - Community and User Profile WordPress Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-07-06T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2023-07-06T00:00:00.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2023-11-21T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve"}, {"url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681"}, {"url": "http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html"}], "descriptions": [{"lang": "en", "value": "The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-266 Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-11-22T15:33:37.741Z"}}}, "cveMetadata": {"cveId": "CVE-2023-6009", "state": "PUBLISHED", "dateUpdated": "2024-08-02T08:21:17.115Z", "dateReserved": "2023-11-08T05:32:13.517Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2023-11-22T15:33:37.741Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:userproplugin:userpro:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "498C35EE-4702-4B1C-BF55-71F81664FB52", "versionEndIncluding": "5.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update."}, {"lang": "es", "value": "El complemento UserPro para WordPress es vulnerable a la escalada de privilegios en versiones hasta la 5.1.4 incluida debido a una restricci\u00f3n insuficiente en la funci\u00f3n 'userpro_update_user_profile'. Esto hace posible que atacantes autenticados, con permisos m\u00ednimos, como un suscriptor, modifiquen su rol de usuario proporcionando el par\u00e1metro 'wp_capabilities' durante una actualizaci\u00f3n de perfil."}], "id": "CVE-2023-6009", "lastModified": "2023-11-29T18:54:09.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2023-11-22T16:15:15.643", "references": [{"source": "security@wordfence.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}