CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-48340

CVSS 9.8v3.1pub. 2025-05-19upd. 2026-04-23

Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.

🤖 AI Analysis
How it works

The attacker prepares a malicious HTTP request and tricks a logged-in administrator or privileged user into unknowingly executing it (e.g., by clicking a crafted link or visiting a malicious website). The plugin does not properly verify the CSRF token, so the server accepts the request as legitimate. As a result, the attacker can perform privilege escalation — elevate their own account or another account to administrator level.

Impact

The attacker can obtain elevated privileges on the WordPress site, including potentially gaining full administrative control over the service.

Mitigation & patch

Update the User Profile Meta Manager plugin to a version higher than 1.02. Apply patches available from the vendor according to the references (https://patchstack.com/database/Wordpress/Plugin/user-profile-meta/).

Who is affected

WordPress User Profile Meta Manager plugin by Danny Vink in versions from n/a to 1.02 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
LPE
CWE
References