CVE-2025-3921: 
WordPress vulnerability analysis and mitigation

The PeproDev Ultimate Profile Solutions plugin for WordPress contains a critical vulnerability (CVE-2025-3921) affecting versions 1.9.1 to 7.5.2. The vulnerability was discovered and reported on May 6, 2025, leading to the plugin being temporarily closed on May 5, 2025, pending a full security review (Wiz Report, NVD).

The vulnerability stems from a missing capability check in the handelajaxreq() function, which constitutes an improper authorization control (CWE-285). It has been assigned a CVSS v3.1 Base Score of 8.2 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, indicating a high-severity issue with network accessibility and no authentication requirements (NVD, Wiz Report).

When exploited, this vulnerability allows unauthenticated attackers to modify arbitrary user metadata. The most severe impact is the ability to set wp_capabilities to 0, effectively blocking administrator access to their own website (NVD, Wiz Report).

The plugin has been temporarily closed and is not available for download as of May 5, 2025. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).