Critical severity9.8NVD Advisory· Published May 7, 2025· Updated Apr 15, 2026
CVE-2025-3844
CVE-2025-3844
Description
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: >=1.9.1, <=7.5.2
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.