CVE-2025-3924: 
WordPress vulnerability analysis and mitigation

The PeproDev Ultimate Profile Solutions plugin for WordPress (versions 1.9.1 - 7.5.2) contains a vulnerability related to unauthorized access of data through its publicly exposed reset-password endpoint. The vulnerability was discovered and reported by Wordfence, with CVE-2025-3924 being assigned on May 6, 2025 (NVD).

The vulnerability stems from improper authorization in the plugin's password reset functionality. The plugin validates the 'valid_email' value based only on a supplied username parameter, without verifying that the requester has any association with the user account. This implementation flaw has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and is categorized under CWE-285 (Improper Authorization) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to enumerate email addresses for any user account on the affected WordPress installation, including administrator accounts. This could potentially be used for reconnaissance or as part of a larger attack campaign (NVD).

The plugin has been temporarily closed and removed from the WordPress plugin repository as of May 5, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).