216.73.216.45

CVE-2025-3921

· Published 07/05/2025 03:15 · Modified 07/05/2025 14:13

Labels: CVE-2025-3921 2025-05-07CVE-2025-3921CWE-285[email protected]

Essential information

Published
07/05/2025 03:15
Modified
07/05/2025 14:13
Author
Creator
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CVSS metrics

Description

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
peprodev / ultimate profile solutions cpe:2.3:a:peprodev:ultimate_profile_solutions:1.9.1-7.5.2:*:*:*:*:wordpress:*:*

References