Medium severity5.3NVD Advisory· Published May 7, 2025· Updated Apr 15, 2026
CVE-2025-3924
CVE-2025-3924
Description
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'valid_email' value based solely on a supplied username parameter, without verifying that the requester is associated with that user account. This allows unauthenticated attackers to enumerate email addresses for any user, including administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=7.5.2
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.phpnvd
- plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.phpnvd
- plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.phpnvd
- wordpress.org/plugins/peprodev-ups/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/7bb36c0f-68b3-492e-9f08-fe6228b0363fnvd
News mentions
0No linked articles in our index yet.