CVE-2023-2449

Summary

CVE-2023-2449 refers to a vulnerability in the UserPro plugin for WordPress. The issue lies within the plugin's password reset functionality, specifically in the userpro_process_form function. This function uses the plaintext value of a password reset key instead of a hashed value, making it susceptible to unauthorized password resets. An attacker can exploit this flaw by exploiting another vulnerability, such as CVE-2023-2448 or CVE-2023-2446, or by using techniques like SQL Injection against another plugin or theme installed on the site. This vulnerability could potentially allow an attacker to gain unauthorized access to WordPress sites running affected versions of the UserPro plugin.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.