Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.
The attacker prepares a malicious HTTP request and tricks a logged-in administrator or privileged user into unknowingly executing it (e.g., by clicking a crafted link or visiting a malicious website). The plugin does not properly verify the CSRF token, so the server accepts the request as legitimate. As a result, the attacker can perform privilege escalation — elevate their own account or another account to administrator level.
The attacker can obtain elevated privileges on the WordPress site, including potentially gaining full administrative control over the service.
Update the User Profile Meta Manager plugin to a version higher than 1.02. Apply patches available from the vendor according to the references (https://patchstack.com/database/Wordpress/Plugin/user-profile-meta/).
WordPress User Profile Meta Manager plugin by Danny Vink in versions from n/a to 1.02 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H