cbcvebase.
CVE-2025-3921
published 2025-05-07

CVE-2025-3921: The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…

PriorityP350high8.2CVSS 3.1
AVNACLPRNUINSUCNIHAL
EPSS
0.36%
28.2th percentile
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0.

Affected

1 ranges
VendorProductVersion rangeFixed in
peprodevpeprodev_ultimate_profile_solutions1.9.1 – 7.5.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.