CVE-2023-2446 MEDIUM

CVE-2023-2446: UserPro <= 5.1.1 - Sensitive Information Disclosure via Shortcode

Vendor N/A

Product UserPro - Community and User Profile WordPress Plugin

Weakness CWE-200 · Info exposure

Published November 22, 2023

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account.

Key dates

02Disclosure timeline

November 22, 2023 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2446

Related vulnerabilities

Identifiers

CVE CVE-2023-2446

CWE CWE-200

CVSS 6.5 / MEDIUM

Affected versions