{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53444", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-30T10:46:21.828Z", "datePublished": "2026-04-15T15:43:21.294Z", "dateUpdated": "2026-04-28T16:13:24.932Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "userpro", "product": "Userpro", "vendor": "DeluxeThemes", "versions": [{"changes": [{"at": "5.1.11", "status": "unaffected"}], "lessThanOrEqual": "5.1.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "datePublic": "2026-04-22T14:18:26.467Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.<p>This issue affects Userpro: from n/a through < 5.1.11.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:24.932Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Userpro plugin < 5.1.11 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:25:42.581446Z", "id": "CVE-2025-53444", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:26:16.160Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53444", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-30T10:46:21.828Z", "datePublished": "2026-04-15T15:43:21.294Z", "dateUpdated": "2026-04-15T17:26:16.160Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T15:43:21.294Z"}, "title": "WordPress Userpro plugin < 5.1.11 - Cross Site Request Forgery (CSRF) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"vendor": "DeluxeThemes", "product": "Userpro", "versions": [{"status": "affected", "version": "n/a", "lessThan": "5.1.11", "changes": [{"at": "5.1.11", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.<p>This issue affects Userpro: from n/a before 5.1.11.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Userpro Plugin to the latest available version (at least 5.1.11)."}]}], "credits": [{"lang": "en", "value": "Ananda Dhakal | Patchstack", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T17:25:42.581446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:26:06.425Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11."}], "id": "CVE-2025-53444", "lastModified": "2026-04-23T15:32:33.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-15T16:16:33.837", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Userpro", "source": "cna", "vendor": "DeluxeThemes"}, "product": "userpro", "vendor": "deluxethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-29T00:27:54.531001+00:00", "value": {"mitigation_remediation": ["Upgrade Userpro to version 5.1.11 or later, which includes the CSRF protection fix.", "If the plugin cannot be updated, deactivate or delete the vulnerable plugin instance to prevent execution of the old code.", "Apply general WordPress security best practices, such as implementing nonce checks on forms and restricting user role privileges, to reduce the window of opportunity for similar flaws."], "summary": {"action": "Upgrade plugin", "impact": "Unauthorized action via CSRF"}, "threat_synthesis": {"affected_systems": "The flaw affects every installation of the Userpro plugin for WordPress with a version older than 5.1.11, regardless of the underlying WordPress core or server configuration.", "description_and_impact": "The vulnerability is a cross\u2011site request forgery flaw (CWE\u2011352) in the DeluxeThemes Userpro WordPress plugin. It permits an attacker to trick an authenticated visitor into submitting forged requests that bypass the plugin\u2019s CSRF checks, potentially enabling unauthorized actions on the site. The CVE text does not enumerate the specific operations that could be performed; the inference that any action facilitated by the plugin might be vulnerable comes from the nature of CSRF attacks.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate impact. The EPSS score of less than 1% points to a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require the victim to be logged into the site and an attacker to embed a malicious request\u2014usually via a hosted resource that triggers the action. While CSRF techniques are common, current data suggests that widespread attacks against this weakness are unlikely, though the potential for targeted or opportunistic exploitation remains."}}}}, "created": "2026-04-15T21:02:26.795482+00:00", "updated": "2026-04-29T00:30:16.135591+00:00", "vendors": ["deluxethemes", "deluxethemes$PRODUCT$userpro", "wordpress", "wordpress$PRODUCT$wordpress"]}