CVE-2017-16562

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to the default URI.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
userpropluginuserpro
𝑥
< 4.9.17.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
https://wpvulndb.com/vulnerabilities/8950
https://www.exploit-db.com/exploits/43117/
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9
https://wpvulndb.com/vulnerabilities/8950
https://www.exploit-db.com/exploits/43117/