CVE-2023-2437 – The UserPro WordPress plugin up to version 5.1.... (How to Fix)

Q: What is the severity of CVE-2023-2437?

CVE-2023-2437 has a CVSS score of 9.8 (CRITICAL). The UserPro WordPress plugin up to version 5.1.1 has an authentication bypass vulnerability in its Facebook login functionality. Unauthenticated attackers can log in as any existing user, including administrators, if they obtain the user's email address. This vulnerability is often chained with CVE-2023-2448 and CVE-2023-2446 to acquire email addresses for successful exploitation.

📋 TL;DR

The UserPro WordPress plugin up to version 5.1.1 has an authentication bypass vulnerability in its Facebook login functionality. Unauthenticated attackers can log in as any existing user, including administrators, if they obtain the user's email address. This vulnerability is often chained with CVE-2023-2448 and CVE-2023-2446 to acquire email addresses for successful exploitation.

💻 Affected Systems

Products:

WordPress UserPro plugin

Versions: Up to and including 5.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Facebook login feature to be enabled in the plugin. Exploitation typically requires chaining with CVE-2023-2448 and CVE-2023-2446 to obtain user email addresses.

📦 What is this software?

Userpro by Userproplugin

View all CVEs affecting Userpro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with administrative privileges, allowing data theft, defacement, malware injection, and full control over the WordPress installation.

🟠

Likely Case

Unauthorized access to user accounts, potential privilege escalation to administrator if admin email is obtained, and data compromise.

🟢

If Mitigated

Limited impact if proper email security and access controls prevent attackers from obtaining user email addresses.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Packet Storm Security. Successful exploitation requires obtaining target user email addresses, often through chaining with other vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.2 or later

Vendor Advisory: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find UserPro plugin and check for updates. 4. Update to version 5.1.2 or later. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Facebook Login

all

Temporarily disable the Facebook login functionality in UserPro plugin settings to prevent exploitation.

Disable UserPro Plugin

all

Deactivate the UserPro plugin until patched to completely eliminate the vulnerability.

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual login activity, particularly via Facebook authentication.
Use web application firewall (WAF) rules to block suspicious authentication attempts and monitor for exploitation patterns.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → UserPro version. If version is 5.1.1 or lower, the system is vulnerable.

Check Version:

wp plugin list --name=userpro --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, verify UserPro plugin version is 5.1.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual Facebook login attempts, multiple failed login attempts followed by successful login from new IP, administrator login from unexpected locations

Network Indicators:

HTTP POST requests to /wp-content/plugins/userpro/facebook/ with authentication parameters, unusual traffic patterns to Facebook OAuth endpoints

SIEM Query:

source="wordpress.log" AND ("facebook/login" OR "userpro/facebook") AND status=200

📊 Metadata

CVE ID: CVE-2023-2437

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: November 22, 2023

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html Exploit,Third Party Advisory,VDB Entry
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3cf9f38-c20e-40dc-a7a1-65b0c6ba7925?source=cve Third Party Advisory
http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html Exploit,Third Party Advisory,VDB Entry
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3cf9f38-c20e-40dc-a7a1-65b0c6ba7925?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2437, you might also want to check these: