The UserPro plugin, a widely used tool for creating customizable front-end profiles and community websites on WordPress, has been found to have a significant security vulnerability. Discovered by Patchstack, this critical flaw in the plugin’s password reset mechanism, specifically within the userpro_process_form function, allows unauthenticated users to change the passwords of other users. Identified as CVE-2024-35700, the vulnerability stems from improper handling of a “secret key” used during the password reset process. The function failed to properly verify the key, enabling attackers to exploit this oversight and gain unauthorized access to user accounts.
The severity of this vulnerability is heightened by the fact that it can be reproduced in a default installation and activation of the UserPro plugin, affecting all versions up to 5.1.8. Attackers can exploit this by initiating a password reset and then intercepting or manipulating the secret key before the legitimate user completes the process. Patchstack added this issue to its vulnerability database on May 21, 2024, and issued a public advisory the following day. In response, the plugin’s developer, DeluxeThemes, promptly released a patched version, 5.1.9, on April 29, 2024.
Patchstack strongly recommends that all users of the UserPro plugin update to at least version 5.1.9 immediately to mitigate the risk of account takeover. This incident underscores the critical importance of securing all aspects of a plugin, especially those related to user password management. Proper validation and verification of objects or variables involved in the password reset process are essential to prevent such vulnerabilities. The quick response by DeluxeThemes to address this flaw is commendable, but users must remain vigilant and ensure their plugins are always up to date to protect against emerging threats.
Reference:
