Description
Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The User Profile Meta Manager plugin, version 1.02 and earlier, contains a Cross‑Site Request Forgery flaw that can be triggered by a forged HTTP request. When an authenticated user visits such a request, the plugin processes it without proper verification, enabling the attacker to elevate the user's privileges to administrator level.

Affected Systems

The vulnerability impacts any WordPress site running Danny Vink:User Profile Meta Manager plugin version 1.02 or older. Sites upgraded to newer releases have resolved the flaw.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1% suggests a low probability of active exploitation. The entry is not listed in CISA’s KEV catalog. The attack vector is CSRF: an attacker can lure an authenticated user to a malicious link, after which privilege escalation occurs immediately, with no further prerequisites.

Generated by OpenCVE AI on April 30, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Profile Meta Manager plugin to a version newer than 1.02 to apply the CSRF fix
  • If an update is not available, disable or completely remove the plugin from the WordPress installation to eliminate the attack surface
  • Restrict access to the WordPress administration panel to trusted IP addresses and enable two‑factor authentication for all administrative accounts

Generated by OpenCVE AI on April 30, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15793 Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through 1.02.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through 1.02. Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 20:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through 1.02.
Title WordPress User Profile Meta Manager plugin <= 1.02 - CSRF to Privilege Escalation vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:56.780Z

Reserved: 2025-05-19T14:14:34.470Z

Link: CVE-2025-48340

cve-icon Vulnrichment

Updated: 2025-05-19T21:10:19.784Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T21:15:22.457

Modified: 2026-04-23T15:31:08.420

Link: CVE-2025-48340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses