CVE-2017-16562

Published: Nov 10, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to the default URI.

Affected (1)

Products: Userproplugin: Userpro

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Userproplugin Userpro	Before 4.9.17.1

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (6)

https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9

Source: cve@mitre.org

Issue Tracking

https://wpvulndb.com/vulnerabilities/8950

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://www.exploit-db.com/exploits/43117/

Source: cve@mitre.org

ExploitIssue TrackingThird Party AdvisoryVDB Entry

https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://wpvulndb.com/vulnerabilities/8950

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://www.exploit-db.com/exploits/43117/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party AdvisoryVDB Entry

Timeline

No history available yet.