Description
Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11.
Published: 2026-04-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized action via CSRF
Action: Upgrade plugin
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw (CWE‑352) in the DeluxeThemes Userpro WordPress plugin. It permits an attacker to trick an authenticated visitor into submitting forged requests that bypass the plugin’s CSRF checks, potentially enabling unauthorized actions on the site. The CVE text does not enumerate the specific operations that could be performed; the inference that any action facilitated by the plugin might be vulnerable comes from the nature of CSRF attacks.

Affected Systems

The flaw affects every installation of the Userpro plugin for WordPress with a version older than 5.1.11, regardless of the underlying WordPress core or server configuration.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact. The EPSS score of less than 1% points to a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require the victim to be logged into the site and an attacker to embed a malicious request—usually via a hosted resource that triggers the action. While CSRF techniques are common, current data suggests that widespread attacks against this weakness are unlikely, though the potential for targeted or opportunistic exploitation remains.

Generated by OpenCVE AI on April 29, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Userpro to version 5.1.11 or later, which includes the CSRF protection fix.
  • If the plugin cannot be updated, deactivate or delete the vulnerable plugin instance to prevent execution of the old code.
  • Apply general WordPress security best practices, such as implementing nonce checks on forms and restricting user role privileges, to reduce the window of opportunity for similar flaws.

Generated by OpenCVE AI on April 29, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11. Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11.
References

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Deluxethemes
Deluxethemes userpro
Wordpress
Wordpress wordpress
Vendors & Products Deluxethemes
Deluxethemes userpro
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11.
Title WordPress Userpro plugin < 5.1.11 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Deluxethemes Userpro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:24.932Z

Reserved: 2025-06-30T10:46:21.828Z

Link: CVE-2025-53444

cve-icon Vulnrichment

Updated: 2026-04-15T17:26:06.425Z

cve-icon NVD

Status : Deferred

Published: 2026-04-15T16:16:33.837

Modified: 2026-04-23T15:32:33.030

Link: CVE-2025-53444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses