In May 2023, the Wordfence Threat Intelligence team discovered high and critical severity vulnerabilities in Kirotech’s UserPro plugin, which is active on over 20,000 WordPress websites. Wordfence Premium, Wordfence Care, and Wordfence Response users received firewall rules on May 19, 2023 to protect against any exploits targeting these vulnerabilities, and free version users received the same protection on June 18, 2023. After initial attempts to contact Kirotech, the developers released their patches on July 27, 2023 and also October 31, 2023. The vulnerabilities allowed for unauthorized password resets, sensitive user meta data retrieval, and unauthorized access to data due to missing capability checks on the plugin’s ‘userpro_shortcode_template’ function. It should be noted that there was a delay in the release of a firewall rule while the company underwent drastic changes to improve the quality assurance of all firewall rules released. As of the article’s writing, it was mentioned that there was no evidence to suggest that the vulnerabilities were known or targeted during the initial disclosure period.
The vulnerability ‘Password Reset to Privilege Escalation using the Sensitive Information Disclosure via Shortcode’ allowed for unauthorized password resets due to the plugin using the native WordPress password reset functionality combined with insufficient validation on the password reset function. An attacker could also leverage other vulnerabilities in other plugins or themes to exploit the UserPro plugin. Additionally, the UserPro plugin was found to be vulnerable to sensitive information disclosure via a userpro shortcode, making it possible for authenticated attackers with subscriber-level permissions to retrieve sensitive user metadata that could be used to access high privileged user accounts.
Another vulnerability found in the UserPro plugin was the ‘Authentication Bypass to Administrator’, which exposed the plugin to authentication bypass. This vulnerability allows an attacker to have complete site compromise once they have gained administrative user access to a WordPress site.
Lastly, the vulnerability ‘Missing Authorization to Arbitrary Shortcode Execution’ allowed unauthenticated attackers to perform arbitrary shortcode execution. An attacker could leverage this vulnerability to retrieve sensitive information via shortcode. This vulnerability makes it possible to exploit other vulnerabilities even without authentication.
It is imperative that WordPress website owners using the UserPro plugin update their sites to the latest patched version, which is version 5.1.5, as soon as possible to protect against these vulnerabilities. Failure to update could lead to unauthorized access to user accounts, data leaks, and potentially complete site compromise.
Read Full Article