On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites. Wordfence Premium, Wordfence Care, and Wordfence Response users received several firewall rules to protect against any exploits targeting these vulnerabilities on May 19, 2023. Sites still using the free version of Wordfence received the same protection on June 18, 2023. Please note that there was a delay in the release of a firewall rule while we underwent drastic changes to improve the QA of all firewall rules we release. We have no evidence to suggest that these vulnerabilities were known or targeted during this period, nor have we seen any evidence that they are currently being targeted. We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023. We urge users to update their sites to the latest patched version of UserPro, which is version 5.1.5 at the time of this writing, as soon as possible. Technical Analysis Password Reset to Privilege Escalation using the Sensitive Information Disclosure via Shortcode Description: UserPro <= 5.1.1 – Insecure Password Reset…Read More