UserPro Plugin Vulnerability Allows Account Takeover

Written by

The UserPro plugin, a popular community and user profile tool for WordPress developed by DeluxeThemes, has been found to have a significant security vulnerability. 

This plugin, used by over 20,000 sites, enables users to create customizable front-end profiles and community websites. 

Patchstack discovered the critical flaw in the plugin’s password reset mechanism, specifically within the userpro_process_form function, which allowed unauthenticated users to change the passwords of other users under certain conditions.

The vulnerability, identified as CVE-2024-35700, was due to improper handling of a “secret key” used during the password reset process. The function failed to properly verify the key, enabling attackers to exploit this oversight and gain unauthorized access to user accounts. 

The UserPro plugin’s vulnerability is considered critical because it allows potential attackers to change users’ passwords with a secret key set, which is commonly used when users request a password reset. 

The attackers can exploit this by initiating a password reset and then intercepting or manipulating the secret key before the legitimate user completes the process. 

“Note that this vulnerability is reproducible in a default installation and activation of the UserPro plugin without a specific requirement or configuration,” Patchstack warned.

Read more on password security: LastPass Enforces 12-Character Master Passwords

The company added the issue to its vulnerability database on May 21 2024, and issued a public advisory the following day. This flaw was present in all versions of the UserPro plugin up to version 5.1.8. The vendor responded promptly, releasing a patched version, 5.1.9, on April 29 2024.

Patchstack recommended that all UserPro users update their plugin to at least version 5.1.9 immediately. 

“The vulnerabilities discussed here underscore the importance of securing all aspects of a plugin, especially those designed for changing the user's password” Patchstack wrote. “Always make sure the object or variable passed to the crucial function to update the user's password has been validated and previously checked.”

Image credit: Primakov /

What’s hot on Infosecurity Magazine?