"UserPro Plugin Vulnerability Allows Account Takeover"

Security researchers at Patchstack recently discovered a significant security vulnerability in the UserPro plugin, a popular community and user profile tool for WordPress developed by DeluxeThemes. This plugin, used by over 20,000 sites, enables users to create customizable front-end profiles and community websites. The critical flaw is in the plugin's password reset mechanism, specifically within the userpro_process_form function, which allowed unauthenticated users to change other users' passwords under certain conditions. The researchers noted that the vulnerability, CVE-2024-35700, was due to improper handling of a "secret key" used during the password reset process. The function failed to properly verify the key, enabling attackers to exploit this oversight and gain unauthorized access to user accounts. The vulnerability is considered critical because it allows potential attackers to change users' passwords with a secret key set, which is commonly used when users request a password reset. The researchers noted that the attackers can exploit this by initiating a password reset and then intercepting or manipulating the secret key before the legitimate user completes the process. This flaw was present in all versions of the UserPro plugin up to version 5.1.8. The vendor responded promptly, releasing a patched version, 5.1.9, on April 29 2024. Patchstack recommended that all UserPro users update their plugin to at least version 5.1.9 immediately. 

Infosecurity Magazine reports: "UserPro Plugin Vulnerability Allows Account Takeover"