CVE-2025-6027 is a vulnerability identified in the Ace User Management WordPress plugin versions through 2.0.3. The core issue is improper authentication (CWE-287) related to the password reset functionality. Specifically, the plugin does not properly validate that a password reset token is linked to the user who requested it. This means that any authenticated user, regardless of their privilege level (including subscribers), can exploit this flaw to reset the passwords of other users, including those with administrative privileges. The attack vector requires the attacker to be authenticated on the WordPress site but does not require any additional user interaction, making it relatively straightforward to exploit once authenticated. The vulnerability impacts confidentiality by allowing unauthorized access to accounts, integrity by enabling unauthorized password changes, and availability by potentially locking out legitimate users. The CVSS v3.1 base score is 6.3, indicating medium severity, with an attack vector of network, low attack complexity, privileges required at a low level, no user interaction, and unchanged scope. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights a critical flaw in session and token management within the plugin, emphasizing the need for strict token-user association checks during password reset processes.

The vulnerability allows authenticated users with minimal privileges to reset passwords of arbitrary accounts, including administrators. This can lead to unauthorized account takeovers, resulting in loss of confidentiality as attackers gain access to sensitive information. Integrity is compromised as attackers can alter account credentials and potentially modify site content or configurations. Availability may be affected if attackers lock out legitimate users by changing passwords. For organizations, this can lead to unauthorized administrative access, data breaches, defacement, or complete site compromise. The ease of exploitation by any authenticated user increases the risk, especially on sites with many low-privileged users. The lack of known exploits in the wild currently limits immediate impact, but the vulnerability remains a significant risk if weaponized. Organizations relying on the Ace User Management plugin for user account controls are particularly vulnerable, and the threat extends globally wherever this plugin is deployed.

Organizations should immediately verify if they are using the Ace User Management plugin version 2.0.3 or earlier and plan to upgrade to a patched version once available. Until a patch is released, administrators should consider disabling the plugin or restricting access to authenticated users with minimal privileges to mitigate exploitation risk. Implementing additional monitoring and alerting for unusual password reset activities can help detect exploitation attempts. Employing web application firewalls (WAFs) with custom rules to block suspicious password reset requests from low-privileged users may provide temporary protection. Review and tighten user role permissions to limit the number of users with authenticated access, especially subscribers. Additionally, enforcing multi-factor authentication (MFA) for administrative accounts can reduce the impact of compromised credentials. Regularly audit user accounts and password reset logs to identify unauthorized changes. Finally, maintain an incident response plan to quickly address any exploitation attempts.