Vulnerability Description
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.p
- https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.p
- https://www.wordfence.com/threat-intel/vulnerabilities/id/65be9417-7029-4f34-b83
FAQ
What is CVE-2025-3844?
CVE-2025-3844 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions...
How severe is CVE-2025-3844?
CVE-2025-3844 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-3844?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.