CVE-2024-0701: 
WordPress vulnerability analysis and mitigation

The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in versions up to and including 5.1.6. This vulnerability was discovered and disclosed in February 2024. The plugin allows users to create front-end user profiles and community sites in WordPress with features like customizable login/registration forms, social connect integration, and content restriction (NVD, WPScan).

The vulnerability exists due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. The CVSS v3.1 base score is 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

This vulnerability makes it possible for unauthenticated attackers to register an account even when account registration has been disabled by an administrator. This bypasses intended access controls and could allow unauthorized users to gain access to the system (NVD).

The vulnerability has been fixed in version 5.1.7 of the UserPro plugin. Users should update to this version or later to mitigate the security risk (WPScan, CodeCanyon).