CVE-2023-6008 MEDIUM

CVE-2023-6008: UserPro <= 5.1.1 - Cross-Site Request Forgery via multiple functions

Vendor N/A
Product UserPro - Community and User Profile WordPress Plugin
Weakness CWE-352 · CSRF
Published November 22, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

Key dates

02Disclosure timeline

November 22, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31616 WordPress Varnish WordPress plugin <= 1.7 - CSRF to Stored XSS vulnerability CVE-2023-26535 WordPress Sheets To WP Table Live Sync Plugin <= 2.12.15 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2023-52145 WordPress Republish Old Posts Plugin <= 1.21 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2019-3876 CVE-2024-30545 WordPress Social Author Bio plugin <= 2.4 - Stored XSS via Cross Site Request Forgery (CSRF) vulnerability