CVE-2017-16562 Information

Description

The UserPro plugin before 4.9.17.1 for WordPress when used on a site with the \admin\ username allows remote attackers to bypass authentication and obtain administrative access via a \true\ value for the up_auto_log parameter in the QUERY_STRING to the default URI.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9 https://wpvulndb.com/vulnerabilities/8950 https://www.exploit-db.com/exploits/43117/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8