Description
Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11.
Published: 2026-04-15
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized data modification or privilege escalation
Action: Apply patch immediately
AI Analysis

Impact

A cross‑site request forgery flaw in DeluxeThemes Userpro permits an attacker to trick a logged‑in site visitor into submitting a forged request that bypasses normal authorization checks, allowing the attacker to perform privileged actions such as changing account settings or posting content. The vulnerability is classified as CWE‑352 and carries a CVSS score of 4.3, indicating moderate impact if exploited.

Affected Systems

The flaw exists in all versions of the Userpro plugin for WordPress older than 5.1.11. All sites running Userpro prior to this release are exposed, regardless of WordPress version or server configuration, because the plugin itself performs insufficient token validation on form submissions.

Risk and Exploitability

The exploit requires that the victim be authenticated to the site and that the attacker can embed a malicious request within a site the victim visits, typically by hosting a malicious image or script. The lack of an EPSS score and the fact that the vulnerability is not listed in the KEV catalog suggest it has not yet seen widespread exploitation. However, the moderate CVSS rating and the ease of creating CSRF requests mean that once discovered, the flaw could affect any vulnerable WordPress site quickly. Site operators who leave the plugin at a vulnerable version are at moderate to high risk if they have active user accounts with elevated privileges.

Generated by OpenCVE AI on April 15, 2026 at 22:20 UTC.

Remediation

Vendor Solution

Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11).

OpenCVE Recommended Actions

  • Upgrade the Userpro plugin to version 5.1.11 or later, which includes the CSRF protection fix.
  • Deactivate or delete the vulnerable Userpro plugin instance to ensure no old code runs.
  • Apply WordPress core security best practices, such as enabling the nonce system and limiting user roles, to reduce the impact window of any similar flaws.

Generated by OpenCVE AI on April 15, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Deluxethemes
Deluxethemes userpro
Wordpress
Wordpress wordpress
Vendors & Products Deluxethemes
Deluxethemes userpro
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11.
Title WordPress Userpro plugin < 5.1.11 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Deluxethemes Userpro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T17:26:16.160Z

Reserved: 2025-06-30T10:46:21.828Z

Link: CVE-2025-53444

cve-icon Vulnrichment

Updated: 2026-04-15T17:26:06.425Z

cve-icon NVD

Status : Received

Published: 2026-04-15T16:16:33.837

Modified: 2026-04-15T16:16:33.837

Link: CVE-2025-53444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses