A critical vulnerability exists in the User Profile Builder WordPress plugin that allows an unauthenticated attacker to reset the password for any user, including administrators, knowing only their username. Successful exploitation results in a complete account takeover, granting the attacker full control over the affected WordPress site, leading to potential data theft, website defacement, or further attacks.

The plugin contains a severe flaw in its password reset functionality. The process does not properly validate ownership of the account before allowing a password change. An unauthenticated remote attacker can exploit this by sending a few crafted requests to the password reset endpoint, targeting a known username. This bypasses the standard security mechanism, such as sending a confirmation link to the user's registered email, allowing the attacker to directly set a new password and subsequently log in to the compromised account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a full compromise of the organization's website. An attacker gaining administrator-level access can steal sensitive user data, inject malicious code or malware, deface the website, disrupt business operations, and use the compromised server as a pivot point for further attacks on the internal network. The potential consequences include significant reputational damage, financial loss, and regulatory penalties related to data breaches.

Immediate Action: Update The User Profile Builder WordPress plugin before Multiple Products to the latest version. Specifically, organizations must upgrade to version 3.15.2 or a later version to patch this vulnerability. After updating, review all administrative user accounts and access logs for any signs of unauthorized password changes or suspicious login activity.

Proactive Monitoring: Monitor web server access logs and WordPress security logs for an unusual volume of password reset requests, especially multiple attempts from a single IP address targeting different users. Scrutinize successful login events for administrator accounts, paying close attention to unfamiliar IP addresses, geolocations, or login times. Implement file integrity monitoring to detect unauthorized changes to plugin or core WordPress files.

Compensating Controls: If patching is not immediately possible, consider the following controls:

• Implement a Web Application Firewall (WAF) with custom rules to block or rate-limit requests to the plugin's password reset endpoint.
• Temporarily disable the User Profile Builder plugin until it can be safely updated.
• Enforce Multi-Factor Authentication (MFA) on all WordPress accounts, especially for administrators. This will prevent an attacker from logging in even if they successfully reset a password.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) and the ease of exploitation requiring no authentication, this vulnerability represents a clear and present danger to affected organizations. We strongly recommend that the required patch be applied immediately as the highest priority action. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and widespread exploitation. Organizations must act on the assumption that they are an active target and remediate this vulnerability without delay to prevent a complete website compromise.