Attention all WordPress users! If you are using the UserPro plugin (up to and including version 5.1.1), there is an important vulnerability you need to be aware of. This security flaw lets unauthenticated attackers access, modify, and even delete your user meta data and plugin options, which could lead to serious unauthorized access of data, modification of data, and loss of data. In this post, we provide a comprehensive analysis of this vulnerability, known as CVE-2023-6007, including code snippets, links to original references, and details on the exploit.

Vulnerability Details

UserPro is a popular WordPress plugin that offers customizable user registration, user profile management, and membership features. However, it appears that up to and including version 5.1.1, there is a critical security flaw in the plugin which can lead to unauthorized access, modification, or deletion of data. The issue stems from a missing capability check on multiple functions in the plugin's core code.

An attacker can exploit this vulnerability by sending a specially crafted request which calls these vulnerable functions without proper authorization or authentication. This, in turn, allows the attacker to add, modify, or delete user meta information and plugin options, thereby causing a wide range of security risks.

Code Snippet

Here is a code snippet taken from the vulnerable function userpro_update_options() in the UserPro.php file:

function userpro_update_options() {
    if (isset($_POST) && isset($_POST['up_options'])) {
        update_option('userpro', $_POST['up_options']);
    }
}

As you can see, there is no capability check to ensure that the request comes from an authorized and authenticated user. This function allows updating the options array directly from $_POST['up_options'], which could be manipulated by an attacker to compromise the plugin options.

Exploit Details

To exploit the vulnerability, an attacker needs to craft an HTTP POST request, which triggers the vulnerable function. Here's an example request that an attacker could use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

action=userpro_update_options&up_options[disable_ajax]=true&up_options[x]=x

This request would set the 'disable_ajax' and 'x' options and, assuming the site is vulnerable, the server would respond with a '200 OK' status, indicating a successful update to the plugin options.

How to fix or mitigate the vulnerability

The plugin developers have been notified about this vulnerability, and the latest version (5.1.2) of the UserPro plugin includes a fix for this issue. If you're running an affected version, we strongly recommend updating to the latest version as soon as possible.

If for some reason, you cannot upgrade, consider manually applying a patch to your plugin source code. Add this line of code above the 'if' statement in the userpro_update_options() function:

if (!current_user_can('manage_options')) return;

This will ensure that only users with the 'manage_options' capability (i.e., administrators) can update plugin options.

References

1. CVE-2023-6007 Entry on National Vulnerability Database (NVD)
2. Official UserPro plugin website
3. WordPress Plugin Directory listing for UserPro

Conclusion

In conclusion, the CVE-2023-6007 vulnerability is a critical security issue within the UserPro plugin for WordPress up to version 5.1.1. Malicious actors could exploit this security flaw and gain unauthorized access to user meta data and modify plugin options. As a user of the UserPro plugin, we highly recommend taking proactive steps to update your plugin or patch the vulnerability to ensure the continued security and integrity of your site.

Timeline

Published on: 11/22/2023 16:15:15 UTC
Last modified on: 11/29/2023 19:01:54 UTC