{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53444", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-30T10:46:21.828Z", "datePublished": "2026-04-15T15:43:21.294Z", "dateUpdated": "2026-04-15T17:26:16.160Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T15:43:21.294Z"}, "title": "WordPress Userpro plugin < 5.1.11 - Cross Site Request Forgery (CSRF) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"vendor": "DeluxeThemes", "product": "Userpro", "versions": [{"status": "affected", "version": "n/a", "lessThan": "5.1.11", "changes": [{"at": "5.1.11", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.<p>This issue affects Userpro: from n/a before 5.1.11.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11)."}]}], "credits": [{"lang": "en", "value": "Ananda Dhakal | Patchstack", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:25:42.581446Z", "id": "CVE-2025-53444", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:26:16.160Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53444", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-30T10:46:21.828Z", "datePublished": "2026-04-15T15:43:21.294Z", "dateUpdated": "2026-04-15T17:26:16.160Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T15:43:21.294Z"}, "title": "WordPress Userpro plugin < 5.1.11 - Cross Site Request Forgery (CSRF) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"vendor": "DeluxeThemes", "product": "Userpro", "versions": [{"status": "affected", "version": "n/a", "lessThan": "5.1.11", "changes": [{"at": "5.1.11", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.<p>This issue affects Userpro: from n/a before 5.1.11.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11)."}]}], "credits": [{"lang": "en", "value": "Ananda Dhakal | Patchstack", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T17:25:42.581446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:26:06.425Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11."}], "id": "CVE-2025-53444", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-15T16:16:33.837", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Userpro", "source": "cna", "vendor": "DeluxeThemes"}, "product": "userpro", "vendor": "deluxethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T22:20:50.460589+00:00", "value": {"mitigation_remediation": ["Upgrade the Userpro plugin to version 5.1.11 or later, which includes the CSRF protection fix.", "Deactivate or delete the vulnerable Userpro plugin instance to ensure no old code runs.", "Apply WordPress core security best practices, such as enabling the nonce system and limiting user roles, to reduce the impact window of any similar flaws."], "summary": {"action": "Apply patch immediately", "impact": "Unauthorized data modification or privilege escalation"}, "threat_synthesis": {"affected_systems": "The flaw exists in all versions of the Userpro plugin for WordPress older than 5.1.11. All sites running Userpro prior to this release are exposed, regardless of WordPress version or server configuration, because the plugin itself performs insufficient token validation on form submissions.", "description_and_impact": "A cross\u2011site request forgery flaw in DeluxeThemes Userpro permits an attacker to trick a logged\u2011in site visitor into submitting a forged request that bypasses normal authorization checks, allowing the attacker to perform privileged actions such as changing account settings or posting content. The vulnerability is classified as CWE\u2011352 and carries a CVSS score of 4.3, indicating moderate impact if exploited.", "risk_and_exploitability": "The exploit requires that the victim be authenticated to the site and that the attacker can embed a malicious request within a site the victim visits, typically by hosting a malicious image or script. The lack of an EPSS score and the fact that the vulnerability is not listed in the KEV catalog suggest it has not yet seen widespread exploitation. However, the moderate CVSS rating and the ease of creating CSRF requests mean that once discovered, the flaw could affect any vulnerable WordPress site quickly. Site operators who leave the plugin at a vulnerable version are at moderate to high risk if they have active user accounts with elevated privileges."}}}}, "created": "2026-04-15T21:02:26.795482+00:00", "updated": "2026-04-15T22:30:16.061330+00:00", "vendors": ["deluxethemes", "deluxethemes$PRODUCT$userpro", "wordpress", "wordpress$PRODUCT$wordpress"]}