Cyber Resilience

CVE-2025-15030

Critical

Published: 02 February 2026

Published
02 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15030 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15030 is a critical vulnerability in the User Profile Builder WordPress plugin, affecting versions prior to 3.15.2. The flaw stems from an improper password reset process, classified under CWE-269 (Improper Privilege Management), which enables attackers to bypass authentication controls. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites for exploitation.

Unauthenticated attackers can exploit this vulnerability remotely by sending a few targeted requests, provided they know the target user's username—such as an administrator's. Successful exploitation allows the attacker to reset the password for any user account, granting full unauthorized access to that account and potentially enabling complete site compromise, including data theft, modification, or further lateral movement within WordPress environments.

The WPScan advisory at https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/ details the issue, with mitigation achieved by updating the User Profile Builder plugin to version 3.15.2 or later, which implements a proper password reset mechanism. Security practitioners should prioritize patching affected WordPress sites and review logs for suspicious reset attempts.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access…

more

to their account

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Direct unauthenticated exploitation of public-facing WordPress plugin for password reset enables initial access (T1190) and abuse of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14975Shared CWE-269
CVE-2025-23208Shared CWE-269
CVE-2026-8206Shared CWE-269
CVE-2025-13540Shared CWE-269
CVE-2026-2144Shared CWE-269
CVE-2026-7284Shared CWE-269
CVE-2025-13851Shared CWE-269
CVE-2026-7465Shared CWE-269
CVE-2024-12281Shared CWE-269
CVE-2025-15403Shared CWE-269

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure procedures for managing and resetting authenticators like passwords, directly preventing unauthorized password resets without proper identity verification.

prevent

SI-2 mandates timely flaw remediation, such as patching the User Profile Builder plugin to version 3.15.2 or later to fix the improper password reset mechanism.

detect

AU-12 ensures audit records are generated for account management events like password changes, enabling detection of unauthorized resets.

References