Login Sign Up

CVE-2023-6390

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

This vulnerability in the WordPress Users plugin allows attackers to trick logged-in administrators into changing plugin settings without their consent via Cross-Site Request Forgery (CSRF). Attackers can exploit this by getting an admin to click a malicious link while authenticated. All WordPress sites using the vulnerable plugin version are affected.

💻 Affected Systems

Products:
  • WordPress Users plugin
Versions: Through version 1.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the plugin active and an admin user logged in.

📦 What is this software?

Wordpress Users by Jonathonkemp

View all CVEs affecting Wordpress Users →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings to disable security features, change user permissions, or redirect site visitors to malicious sites, potentially leading to complete site compromise.

🟠

Likely Case

Attackers would typically change settings to weaken site security, modify user roles, or inject malicious content into the site.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation risk is minimal as it requires admin interaction.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5 or later

Vendor Advisory: https://wpscan.com/vulnerability/a0ca68d3-f885-46c9-9f6b-b77ad387d25d/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'WordPress Users' plugin. 4. Click 'Update Now' if available, or manually update to version 1.5+. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable WordPress Users Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate users

Implement CSRF Protection

all

Add custom CSRF tokens to plugin settings forms via custom code or security plugin.

🧯 If You Can't Patch

  • Restrict admin access to trusted networks only
  • Implement strict Content Security Policy (CSP) headers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → WordPress Users version. If version is 1.4 or earlier, you are vulnerable.

Check Version:

wp plugin get users --field=version

Verify Fix Applied:

Verify plugin version is 1.5 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin setting changes in WordPress logs
  • Admin user actions from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to /wp-admin/admin.php?page=users with missing nonce parameters

SIEM Query:

source="wordpress" AND (event="plugin_settings_changed" OR uri="/wp-admin/admin.php?page=users")

📊 Metadata

CVE ID: CVE-2023-6390
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: January 29, 2024
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6390, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)