What the vulnerability does
01Description
Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through <= 5.1.9.
CVE-2025-68608
HIGH
CVE-2025-68608: WordPress Userpro plugin <= 5.1.9 - Broken Access Control vulnerability
CVSS base score
7.5/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Userpro versions up to 5.1.9 lack proper authorization checks, allowing unauthenticated attackers to modify data on the site. The vulnerability requires no special setup or user interaction. Site administrators should update to a version newer than 5.1.9 immediately.
What an attacker can do
03Attacker Capabilities
Modify site data without logging in or having permission to do so.
Potential impact on your site
04Site Impact
Unauthorized users can alter content, settings, or user data depending on what Userpro controls.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
December 24, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-13653 ZoxPress - The All-In-One WordPress News Theme <= 2.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
CVE-2026-1431 Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure
CVE-2025-66526 WordPress Tablesome plugin <= 1.1.34 - Broken Access Control vulnerability
CVE-2025-42955 Missing authorization check in SAP Cloud Connector
CVE-2023-45243
