CVE-2025-15030
Published: 02 February 2026
Summary
CVE-2025-15030 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires secure procedures for managing and resetting authenticators like passwords, directly preventing unauthorized password resets without proper identity verification.
SI-2 mandates timely flaw remediation, such as patching the User Profile Builder plugin to version 3.15.2 or later to fix the improper password reset mechanism.
AU-12 ensures audit records are generated for account management events like password changes, enabling detection of unauthorized resets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing WordPress plugin for password reset enables initial access (T1190) and abuse of valid accounts (T1078).
NVD Description
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access…
more
to their account
Deeper analysisAI
CVE-2025-15030 is a critical vulnerability in the User Profile Builder WordPress plugin, affecting versions prior to 3.15.2. The flaw stems from an improper password reset process, classified under CWE-269 (Improper Privilege Management), which enables attackers to bypass authentication controls. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites for exploitation.
Unauthenticated attackers can exploit this vulnerability remotely by sending a few targeted requests, provided they know the target user's username—such as an administrator's. Successful exploitation allows the attacker to reset the password for any user account, granting full unauthorized access to that account and potentially enabling complete site compromise, including data theft, modification, or further lateral movement within WordPress environments.
The WPScan advisory at https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/ details the issue, with mitigation achieved by updating the User Profile Builder plugin to version 3.15.2 or later, which implements a proper password reset mechanism. Security practitioners should prioritize patching affected WordPress sites and review logs for suspicious reset attempts.
Details
- CWE(s)