cleantalk
Vulnerabilities and Security Researches

PeproDev Ultimate Profile Solutions, CVE-2025-3844

CVE, Research URL

CVE-2025-3844

Home page URL

Security reports for PeproDev Ultimate Profile Solutions

Application

PeproDev Ultimate Profile Solutions

Published on
May 07, 2025
Research Description
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators.
Affected versions
Min 1.9.1, max 7.5.2.
Status
vulnerable
Previous vulnerability researches
Labinator Content Types Duplicator (CVE-2025-31809) , Apr 03, 2025
Theme Duplicator (CVE-2025-31845) , Apr 03, 2025
WP Bulk Post Duplicator (CVE-2025-28884) , Mar 13, 2025
Multisite Post Duplicator (CVE-2016-10944) , Jun 07, 2024
Theme File Duplicator (CVE-2025-27283) , Feb 27, 2025
New vulnerability
Drag and Drop Multiple File Upload for WooCommerce (CVE-2025-4403) , May 11, 2025
Contact Us By Lord Linus (CVE-2025-1382) , May 11, 2025
Contact Form by WPForms – Drag & Drop Form Builder for WordPress (CVE-2025-3794) , May 10, 2025
Jeg Elementor Kit (CVE-2025-2944) , May 10, 2025
1 Click WordPress Migration Plugin – 100% FREE for a limited time (CVE-2025-3455) , May 10, 2025