CVE-2017-16562

CRITICAL EXPLOITED

UserPro plugin <4.9.17.1 - Auth Bypass

Title source: llm

Description

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to the default URI.

Exploits (1)

exploitdb WRITEUP
by Colette Chamberland · textwebappsphp
https://www.exploit-db.com/exploits/43117

References (3)

Scores

CVSS v3 9.8
EPSS 0.4817
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-12-05
CWE
CWE-287
Status published
Products (1)
userproplugin/userpro < 4.9.17.1
Published Nov 10, 2017
Tracked Since Feb 18, 2026