CVE-2023-6007: 
WordPress vulnerability analysis and mitigation

The UserPro plugin for WordPress contains a critical security vulnerability (CVE-2023-6007) affecting all versions up to and including 5.1.1. The vulnerability stems from missing capability checks on multiple functions, which allows unauthorized access to data, modification of data, and potential data loss. This security issue was disclosed on November 22, 2023 (NVD).

The vulnerability is characterized by missing authorization checks (CWE-862) that enable unauthenticated attackers to add, modify, or delete user meta and plugin options. The severity assessment according to CVSS 3.1 varies between sources, with Wordfence rating it as HIGH (7.3) and NVD rating it as MEDIUM (6.5). The vulnerability affects the core functionality of the UserPro plugin, specifically its user data management capabilities (NVD).

The vulnerability's impact is significant as it allows unauthorized attackers to manipulate user data and plugin settings without authentication. This could lead to unauthorized access to sensitive information, modification of user data, and potential loss of data integrity within WordPress installations using the affected plugin (NVD).

Users of the UserPro plugin should immediately update their installations to a version newer than 5.1.1 if available. If an update is not possible, it is recommended to consider disabling the plugin until a patch is available, given the severity of the vulnerability (NVD, UserPro Plugin).