Primary

Context

PeproDev Ultimate Profile Solutions Authentication Bypass Vulnerability Allowing Account Takeover

Vulnerability

A vulnerability allowing authentication bypass has been identified in the PeproDev Ultimate Profile Solutions plugin for WordPress, affecting versions 1.9.1 through 7.5.2. The issue arises because the 'handel_ajax_req()' function lacks proper restrictions on the 'change_user_meta' functionality. This flaw enables unauthenticated attackers to set a one-time password (OTP) code and log in as other users, including administrators.

Impact

Exploitation of this vulnerability allows unauthenticated users to log in as other users, potentially including administrators, leading to unauthorized access and actions on behalf of those users.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PeproDev Ultimate Profile Solutions Authentication Bypass Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating