CVE-2025-3921 HIGH

CVE-2025-3921: PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update via handel_ajax_req Function

Vendor Peprodev

Product PeproDev Ultimate Profile Solutions

Weakness CWE-285

Published May 7, 2025

Last update May 7, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0.

Key dates

02Disclosure timeline

May 7, 2025 CVE published

May 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-3921 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

Identifiers

CVE CVE-2025-3921

CWE CWE-285

CVSS 8.2 / HIGH

Affected versions