CVE-2025-15030
published 2026-02-02CVE-2025-15030: The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
0.49%
38.3th percentile
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hgq7-79qc-3jhq: The User Profile Builder WordPress plugin before 3
ghsa_unreviewed·2026-02-02
CVE-2025-15030 [CRITICAL] CWE-269 GHSA-hgq7-79qc-3jhq: The User Profile Builder WordPress plugin before 3
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
VulnCheck
cozmoslabs profile_builder Improper Privilege Management
vulncheck·2025·CVSS 9.8
CVE-2025-15030 [CRITICAL] cozmoslabs profile_builder Improper Privilege Management
cozmoslabs profile_builder Improper Privilege Management
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
Affected: cozmoslabs profile_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/profile-builder/vulnerability/wordpress-user-profile-builder-plugin-3-15-2-unauthenticated-arbitrary-password-reset-vulnerability
Exploit PoC: https://vulncheck.com/xdb/ef8c99204b30
No detection rules found.
No public exploits indexed.
2026-02-02
Published
Exploited in the wild