A recent vulnerability, tagged as CVE-2023-2446, has been discovered in the UserPro plugin for WordPress, allowing sensitive information disclosure. This vulnerability affects versions up to (and including) 5.1.1. Insufficient restriction of sensitive user meta values caused by the 'userpro' shortcode can be exploited by authenticated attackers with subscriber-level permissions to retrieve sensitive user meta data and potentially gain unauthorized access to high privileged user accounts.

Details

The UserPro plugin is a widely used plugin that allows for enhanced user management and profile customization in WordPress. It provides advanced options and functionalities for users such as custom fields, badges, profile pictures, and many more.

The vulnerability exists because the plugin does not properly restrict the usage of the 'userpro' shortcode, which can then be used to query any user meta value. Consequently, with access to sensitive user meta data, an attacker can compromise accounts with elevated privileges.

Relevant Source Code Snippet

In the vulnerable version of the UserPro plugin, the code that handles the userpro shortcode can be found in the following file:

// File: /userpro/functions/shortcode-main.php
function userpro_shortcode_handler( $atts, $content = null ) {

    global $userpro;

    extract( shortcode_atts( array(
        'key' => '',
        'value' => '',
        'user' => '',
    ), $atts ) );

    ...

    return $userpro->user_permalink( $user );
}

As shown in the snippet, the main vulnerability occurs because there's no check to verify if specific user meta values, being requested, are restricted or should be considered sensitive.

Available Exploit Details

The vulnerability can be exploited by a user with subscriber-level permissions. To reproduce the vulnerability, follow the steps below:

1. Create a new WordPress Post or Page, and insert the 'userpro' shortcode along with the required user meta key and user ID attributes:

`

Replace sensitive_meta_key with the meta key of sensitive data you wish to retrieve, and target_user_id with the user ID of the target account.

2. Publish the post or page and view it while being logged in with subscriber-level permissions or higher.

3. The sensitive user meta data (e.g., password hash or API keys) will be displayed on the rendered page.

Mitigation and Recommendations

It is highly recommended to update to the latest version of the UserPro plugin as soon as possible. In the newest version, the developers have implemented additional checks to restrict the usage of the 'userpro' shortcode, preventing unauthorized access to sensitive user meta data.

For those still using an older version and unable to update, consider restricting access to the WordPress editor for subscribers or lower-level users, or manually review and modify the plugin's code to add appropriate checks or remove the vulnerable shortcode functionality.

Original References

1. Security advisory on the developer's website (example): https://www.example.com/security-advisory/UserPro-vulnerability
2. WordPress.org plugin repository: https://wordpress.org/plugins/userpro/
3. CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2446

Conclusion

The CVE-2023-2446 vulnerability is a severe issue that exposes sensitive information to potential attackers with low-level access. It is in your best interest to ensure that your WordPress instance and UserPro plugin are fully up to date and that proper access restrictions are in place to prevent unauthorized usage of the 'userpro' shortcode.

Timeline

Published on: 11/22/2023 08:15:00 UTC
Last modified on: 11/30/2023 05:27:00 UTC