CVE-2025-3924 is a medium-severity vulnerability affecting the PeproDev Ultimate Profile Solutions plugin for WordPress, specifically version 1.9.1. The vulnerability arises from improper authorization (CWE-285) in the plugin's reset-password endpoint, which is publicly accessible. The endpoint accepts a username parameter and returns the associated 'valid_email' value without verifying that the requester is authorized or linked to the user account. This lack of access control enables unauthenticated attackers to enumerate email addresses of any user on the WordPress site, including administrators. The vulnerability does not allow direct password resets or account takeover but exposes sensitive user information that can be leveraged for targeted phishing, social engineering, or further attacks. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only, with no effect on integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. The issue was reserved and published in April and May 2025, respectively, and is tracked by Wordfence and CISA enrichment.

For European organizations using WordPress sites with the PeproDev Ultimate Profile Solutions plugin version 1.9.1, this vulnerability poses a risk of unauthorized disclosure of user email addresses, including those of administrators. Exposure of administrator emails can facilitate spear-phishing campaigns, targeted social engineering, and credential harvesting attacks, potentially leading to more severe compromises. While the vulnerability itself does not allow direct account takeover, it lowers the barrier for attackers to identify high-value targets within an organization. This can be particularly impactful for sectors with strict data protection requirements under GDPR, as unauthorized disclosure of personal data (email addresses) may lead to compliance issues and reputational damage. Additionally, organizations relying on WordPress for customer-facing or internal portals may face increased risk of targeted attacks leveraging the leaked information. The medium severity indicates a moderate risk, but the potential for follow-on attacks elevates the importance of addressing this vulnerability promptly.

1. Immediate mitigation involves disabling or restricting access to the reset-password endpoint in the PeproDev Ultimate Profile Solutions plugin until a patch is available. This can be done via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests to this endpoint. 2. Implement strict access control checks within the plugin code to verify that the requester is authorized and associated with the username before returning any email information. 3. Monitor logs for unusual or repeated access attempts to the reset-password endpoint to detect enumeration activity. 4. Educate users and administrators about phishing risks and encourage use of multi-factor authentication (MFA) to mitigate risks from potential targeted attacks. 5. Keep WordPress core, plugins, and themes updated, and subscribe to vendor security advisories for timely patching once a fix is released. 6. Consider deploying rate limiting on password reset or similar endpoints to reduce the feasibility of enumeration attacks. 7. Review and audit user data exposure in other plugins or custom code to prevent similar authorization weaknesses.