CVE-2023-5448 – WP Register Profile With Shortcode – CSRF to Password Reset Vulnerability Overview This vulnerability exists in the WP Register Profile With Shortcode plugin and is of the CSRF (Cross-Site Request Forgery) type. Vulnerability Description: A CSRF vulnerability exists in the functionality. This allows attackers to perform unauthorized password resets, posing a severe threat to user account security and potentially enabling control over administrator-level accounts in certain scenarios. CVE ID: CVE-2023-5448 Severity: Super High Researcher: Dmtrii Ignatyev Scope of Impact Affected Plugin: WP Register Profile With Shortcode Affected Versions: <= 3.5.9 Active Installations: 1000+ Potential Risks: Unauthorized Password Change: Attackers can change a user's password without their knowledge. Account Takeover: Particularly critical for administrator accounts, potentially leading to full control. Privilege Escalation: If an attacker compromises an administrator account, they can exploit elevated privileges to compromise the entire WordPress system. Remediation 1. Immediate Patching: Developers should release an emergency patch or update to address this specific CSRF vulnerability. 2. User Education: Inform users about the risks of clicking unknown links and the importance of regularly changing passwords. 3. Multi-Factor Authentication (MFA): Encourage or mandate the use of MFA to add an additional layer of security. 4. Security Audit:** Conduct a thorough security audit to identify and rectify any other potential vulnerabilities within WordPress settings. POC Code