CVE-2025-9286

Critical

Published: 03 October 2025

Published

03 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9286 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated attackers from invoking the vulnerable reset_user_password() REST handler.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict password reset functionality to only authorized users or processes, mitigating unverified privilege escalation via the REST endpoint.

AC-2 Account Management partial match

prevent

Manages information system accounts including procedures for modifying credentials like passwords, helping to ensure unauthorized resets are not permitted.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Unauthenticated exploitation of a public-facing WordPress plugin REST API enables initial access (T1190) and privilege escalation to admin via unauthorized password resets (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to…

reset the password of arbitrary users, including administrators, thereby gaining administrative access.

Deeper analysisAI

CVE-2025-9286 is a privilege escalation vulnerability in the Appy Pie Connect for WooCommerce plugin for WordPress, affecting all versions up to and including 1.1.2. The issue stems from missing authorization checks in the reset_user_password() REST API handler, allowing unauthorized password resets. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-620: Unverified Privilege Escalation.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By invoking the vulnerable REST endpoint, they can reset the password of any user, including administrators, thereby gaining full administrative access to the WordPress site.

References from Wordfence, WordPress plugin trac, and the plugin page detail the issue, including source code at connect-woocommerce-rest-api.php and a patch in changeset 3385150. Mitigation involves updating to a patched version beyond 1.1.2, as indicated by the version scope in the advisory.