Platform
wordpress
Component
userpro
Fixed in
5.1.12
A Cross-Site Request Forgery (CSRF) vulnerability exists in DeluxeThemes Userpro, a WordPress plugin. This flaw allows an attacker to trick authenticated users into unknowingly executing unwanted actions, such as modifying their profile information or performing administrative tasks. The vulnerability impacts versions from 0.0.0 through 5.1.11. Applying the provided patch resolves the issue.
Successful exploitation of this CSRF vulnerability could allow an attacker to hijack user sessions and perform actions as that user. This could include modifying user profiles (usernames, email addresses, passwords), changing plugin settings, or even executing administrative functions if the user has sufficient privileges. The blast radius extends to any user who interacts with the vulnerable plugin while logged into WordPress. While no specific real-world exploits have been publicly reported for this exact vulnerability, CSRF vulnerabilities are frequently leveraged in phishing campaigns and automated attacks to compromise user accounts.
This vulnerability was published on 2026-04-15. Its severity is currently rated as MEDIUM (CVSS 4.3). There are no known public exploits or active campaigns targeting this specific vulnerability at this time. It is not listed on KEV or EPSS. However, given the widespread use of WordPress plugins and the ease of exploiting CSRF vulnerabilities, it remains a potential risk.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 5.1.11 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, implement strict input validation and output encoding to prevent malicious data from being processed. While a WAF can offer some protection, it's not a substitute for patching the vulnerable plugin. After upgrading, verify the fix by attempting to trigger a CSRF attack using a tool like Burp Suite and confirming that the request is blocked or fails.
Update to version 5.1.11, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53444 describes a Cross-Site Request Forgery (CSRF) vulnerability in the DeluxeThemes Userpro WordPress plugin, allowing attackers to perform actions as authenticated users.
You are affected if you are using DeluxeThemes Userpro versions 0.0.0 through 5.1.11. Check your plugin version and upgrade immediately if vulnerable.
Upgrade to version 5.1.11 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as an additional layer of defense.
There are currently no known public exploits or active campaigns targeting this specific vulnerability, but it remains a potential risk due to the nature of CSRF attacks.
Please refer to the DeluxeThemes website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-53444.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.