The UserPro plugin for WordPress, developed by DeluxeThemes and used by over 20,000 sites, was found to have a critical security flaw in its password reset mechanism (CVE-2024-35700), allowing unauthenticated users to change passwords under certain conditions. Patchstack discovered the flaw in the userpro_process_form function due to mishandling of a 'secret key,' enabling unauthorized access to accounts. The flaw was present in all versions up to 5
1.8, with a patched version 5.1.9 released promptly. Patchstack advised all users to update immediately to mitigate the account takeover risk. This incident highlights the significance of securing password-related functionalities within plugins to prevent malicious exploitation and unauthorized access. ```https://www.infosecurity-magazine.com/news/userpro-plugin-flaw-allows-account/