cbcvebase.
CVE-2023-2437
published 2023-11-22

CVE-2023-2437: The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on…

PriorityP181high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
6.80%
93.2th percentile
The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to successfully exploit this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
userpropluginuserpro<= 5.1.1

Detection & IOCsextracted from sources · hover to see the quote

cookiewordpress_logged_in
cookiewordpress_sec_
  • Detect authentication bypass attempts against the UserPro plugin (≤5.1.1) by monitoring for successful WordPress session cookies (wordpress_logged_in, wordpress_sec_) returned in response headers following a Facebook login flow request to the plugin endpoint — unauthenticated requests that yield HTTP 200 with these cookies are indicative of exploitation.
  • CVE-2023-2437 exploitation is chained with CVE-2023-2448 and CVE-2023-2446 to first enumerate a target user's email address before triggering the authentication bypass; monitor for sequential exploitation of all three CVEs from the same source IP.
  • ·The Sigma/nuclei detection template targets the UserPro WordPress plugin and checks for wordpress_logged_in or wordpress_sec_ cookies in response headers with HTTP 200 status; this may produce false positives on any legitimate WordPress login flow — tune to scope only to the UserPro Facebook login endpoint.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.