CVE-2025-15030
CRITICAL
2026-02-02
[email protected]
9.8
CVSS 3.1
Share
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Lifecycle Timeline
2
Analysis Generated
Mar 12, 2026 - 22:01 vuln.today
CVE Published
Feb 02, 2026 - 07:16 nvd
CRITICAL 9.8
Description
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
Analysis
Improper password reset process in User Profile Builder WordPress plugin before 3.15.2 allows unauthenticated attackers to reset any user's password with minimal requests.
Technical Context
CWE-269 in password reset flow. A few unauthenticated requests can reset any user's password.
Affected Products
['User Profile Builder for WordPress < 3.15.2']
Remediation
Update to 3.15.2.
Priority Score
49
Low
Medium
High
Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).