CVE-2025-3921

Name of the Vulnerable Software and Affected Versions PeproDev Ultimate Profile Solutions plugin for WordPress versions 1.9.1 through 7.5.2

Description The issue allows unauthorized modification of data due to a missing capability check on the handel ajax req() function. This enables unauthenticated attackers to update arbitrary user's metadata, potentially blocking an administrator from accessing their site when wp capabilities is set to 0.

Recommendations For versions 1.9.1 through 7.5.2, consider disabling the handel ajax req() function until a patch is available to prevent unauthorized data modification. Restrict access to user metadata updates to minimize the risk of exploitation. Avoid using the wp capabilities variable in a way that could allow attackers to block administrator access.