The UserPro plugin [1] [2], developed by DeluxeThemes for WordPress [1], has a critical security vulnerability that allows unauthorized users to change passwords of certain users.
Description
The UserPro plugin has a critical security vulnerability (CVE-2024-35700) in its password reset mechanism [1]. This flaw allows unauthorized users to change passwords of certain users by exploiting a secret key [1]. The vulnerability was present in all versions up to 5.1.8 [1], with a patched version (5.1.9) released on April 29, 2024 [1].
Conclusion
It is recommended that all users update to version 5.1.9 immediately to prevent unauthorized access to user accounts. Failure to do so may result in unauthorized users gaining access to sensitive information and compromising user accounts. Stay vigilant and ensure that your software is always up to date to protect against security vulnerabilities.
References
[1] https://www.infosecurity-magazine.com/news/userpro-plugin-flaw-allows-account/
[2] https://patchstack.com/articles/critical-vulnerability-patched-in-userpro-plugin/