The UserPro plugin, a preferred group and consumer profile instrument for WordPress developed by DeluxeThemes, has been discovered to have a big safety vulnerability.
This plugin, utilized by over 20,000 websites, allows customers to create customizable front-end profiles and group web sites.
Patchstack found the important flaw within the plugin’s password reset mechanism, particularly inside the userpro_process_form operate, which allowed unauthenticated customers to alter the passwords of different customers beneath sure situations.
The vulnerability, recognized as CVE-2024-35700, was as a result of improper dealing with of a “secret key” used throughout the password reset course of. The operate did not correctly confirm the important thing, enabling attackers to use this oversight and achieve unauthorized entry to consumer accounts.
The UserPro plugin’s vulnerability is taken into account important as a result of it permits potential attackers to alter customers’ passwords with a secret key set, which is often used when customers request a password reset.
The attackers can exploit this by initiating a password reset after which intercepting or manipulating the key key earlier than the respectable consumer completes the method.
“Notice that this vulnerability is reproducible in a default set up and activation of the UserPro plugin with no particular requirement or configuration,” Patchstack warned.
Learn extra on password safety: LastPass Enforces 12-Character Grasp Passwords
The corporate added the difficulty to its vulnerability database on Could 21 2024, and issued a public advisory the next day. This flaw was current in all variations of the UserPro plugin as much as model 5.1.8. The seller responded promptly, releasing a patched model, 5.1.9, on April 29 2024.
Patchstack really useful that every one UserPro customers replace their plugin to at the very least model 5.1.9 instantly.
“The vulnerabilities mentioned right here underscore the significance of securing all points of a plugin, particularly these designed for altering the consumer’s password” Patchstack wrote. “At all times be certain that the thing or variable handed to the essential operate to replace the consumer’s password has been validated and beforehand checked.”
Picture credit score: Primakov / Shutterstock.com
