CVE-2023-2446 in UserPro Plugininfo

Summary

by MITRE • 11/22/2023

The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The CVE-2023-2446 vulnerability resides within the UserPro plugin for WordPress, specifically affecting versions up to and including 5.1.1. This security flaw represents a critical information disclosure issue that undermines the integrity of user data protection mechanisms. The vulnerability manifests through the 'userpro' shortcode functionality, which is designed to display user-related information on WordPress sites. However, the implementation fails to properly validate and restrict access to sensitive user metadata, creating an exploitable pathway for unauthorized data retrieval.

The technical flaw stems from inadequate input validation and access control mechanisms within the plugin's shortcode processing logic. When the 'userpro' shortcode is invoked, it indiscriminately retrieves and displays user meta values without sufficient authorization checks. This weakness allows authenticated attackers who possess subscriber-level permissions or higher to exploit the vulnerability and extract sensitive user information that should remain protected. The vulnerability aligns with CWE-200, which addresses improper limitation of a pathname to a restricted directory, and more specifically with CWE-668, which covers insufficient restriction of a pathname to a restricted directory, though the primary classification relates to improper access control. The flaw operates at the application layer and can be categorized under the ATT&CK technique T1213.002 for Data from Information Repositories, as it facilitates unauthorized access to user data repositories.

The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the means to escalate privileges and compromise higher-privileged user accounts. Attackers can leverage the retrieved sensitive meta values to conduct credential stuffing attacks, social engineering campaigns, or to identify potential targets for further exploitation. The vulnerability is particularly concerning because it requires minimal privileges to exploit, making it accessible to users with subscriber-level access who typically should not have the ability to view other users' sensitive information. This creates a significant risk for WordPress installations where the UserPro plugin is deployed, as it effectively undermines the principle of least privilege and can lead to complete account compromise.

Mitigation strategies for CVE-2023-2446 involve immediate patching of the UserPro plugin to the latest version where the vulnerability has been addressed. Administrators should also implement additional monitoring of user activity and access patterns to detect potential exploitation attempts. The recommended approach includes disabling the 'userpro' shortcode functionality until a patched version is deployed, implementing strict access controls for user meta data, and conducting comprehensive security audits of all installed plugins. Organizations should also consider implementing network-level restrictions and logging mechanisms to track unauthorized access attempts to user data. The vulnerability highlights the importance of proper input validation and access control implementation in web applications, emphasizing the need for regular security assessments and timely patch management procedures. Additionally, implementing principle of least privilege configurations and regular security training for administrators can help reduce the overall risk exposure associated with such vulnerabilities.

Responsible

Wordfence

Reservation

05/01/2023

Disclosure

11/22/2023

Moderation

accepted

CPE

ready

EPSS

0.00849

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!