CVE-2025-4187: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-4187 affects the UserPro - Community and User Profile WordPress Plugin in all versions up to and including 5.1.10. This security flaw was discovered by researcher Trương Hữu Phúc and was publicly disclosed on June 13, 2025 (Wiz Database).

The vulnerability is classified as a Directory Traversal issue (CWE-22) that exists in the userpro_fbconnect() function. The CVSS v3.1 base score is 5.9 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires high attack complexity, needs no privileges or user interaction, and can result in high confidentiality impact without affecting integrity or availability (NVD Database, Wiz Database).

When exploited, this vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server. The impact is particularly concerning as these files may contain sensitive information, potentially exposing critical system data or confidential user information (NVD Database).

Users of the UserPro WordPress plugin should immediately update their installations to a version newer than 5.1.10 if available. As this is a recently disclosed vulnerability, users should monitor the official plugin page for security updates (Wiz Database).