Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-3844

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators.

Published

2025-05-07T03:15:17.650

Last Modified

2025-05-07T14:13:20.483

Status

Awaiting Analysis

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-288

Affected Vendors & Products

References

https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L1483 ([email protected])
https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L2836 ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/65be9417-7029-4f34-b834-98208a42743b?source=cve ([email protected])