CVE-2023-2497: 
WordPress vulnerability analysis and mitigation

The UserPro plugin for WordPress (versions up to and including 5.1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2023-2497. The vulnerability stems from missing or incorrect nonce validation in the 'import_settings' function, which was disclosed on November 22, 2023 (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability allows unauthenticated attackers to exploit PHP Object Injection through the use of unserialize() on user-supplied parameters via a forged request (NVD CVE).

If successfully exploited, the vulnerability could allow attackers to achieve high levels of confidentiality, integrity, and availability impact on the target system. The attack requires user interaction, typically in the form of tricking a site administrator into clicking a malicious link (NVD CVE).

Users should update to a version newer than 5.1.0 of the UserPro plugin. The vulnerability affects all versions up to and including 5.1.0 (UserPro Plugin).