CVE-2017-16562

CRITICAL EXPLOITED

UserPro plugin <4.9.17.1 - Auth Bypass

Title source: llm

Exploitation Summary

CVE-2017-16562 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Colette Chamberland.

AI-analyzed exploit summary This is a writeup describing an authentication bypass vulnerability in the Userpro WordPress plugin (versions <= 4.6.17). The exploit involves appending `?up_auto_log=true` to the target URL, which logs the attacker in as the default 'admin' user if it exists.

Description

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to the default URI.

Exploits (1)

exploitdb WRITEUP

by Colette Chamberland · textwebappsphp

https://www.exploit-db.com/exploits/43117

View Code ZIP pw:eip

This is a writeup describing an authentication bypass vulnerability in the Userpro WordPress plugin (versions <= 4.6.17). The exploit involves appending `?up_auto_log=true` to the target URL, which logs the attacker in as the default 'admin' user if it exists.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Userpro WordPress Plugin <= 4.6.17

No auth needed

Prerequisites: Target site must have the Userpro plugin installed · Target site must have a default 'admin' user

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Issue Tracking, Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/8950

Issue Tracking x_refsource_confirm

https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9

Exploit, Issue Tracking, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43117/

Scores

CVSS v3 9.8

EPSS 0.2737

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-12-05

CWE

CWE-287

Status published

Products (1)

userproplugin/userpro < 4.9.17.1

Published Nov 10, 2017

Tracked Since Feb 18, 2026