CVE-2025-9286: CWE-620 Unverified Password Change in hancock11 Appy Pie Connect for WooCommerce
The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
AI Analysis
Technical Summary
The Appy Pie Connect for WooCommerce plugin for WordPress contains a privilege escalation vulnerability (CWE-620) caused by missing authorization in the reset_user_password() REST API endpoint. This flaw allows unauthenticated attackers to reset passwords for any user, including administrators, thereby gaining administrative control over the affected WordPress site. The vulnerability affects all versions up to and including 1.1.2. The CVSS 3.1 base score is 9.8, reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation enables an unauthenticated attacker to reset passwords of arbitrary users, including administrators, resulting in full administrative access to the WordPress site. This compromises site confidentiality, integrity, and availability. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the REST API endpoints if possible and monitor for suspicious activity related to password resets. Avoid using affected versions of the plugin in production environments.
CVE-2025-9286: CWE-620 Unverified Password Change in hancock11 Appy Pie Connect for WooCommerce
Description
The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Appy Pie Connect for WooCommerce plugin for WordPress contains a privilege escalation vulnerability (CWE-620) caused by missing authorization in the reset_user_password() REST API endpoint. This flaw allows unauthenticated attackers to reset passwords for any user, including administrators, thereby gaining administrative control over the affected WordPress site. The vulnerability affects all versions up to and including 1.1.2. The CVSS 3.1 base score is 9.8, reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation enables an unauthenticated attacker to reset passwords of arbitrary users, including administrators, resulting in full administrative access to the WordPress site. This compromises site confidentiality, integrity, and availability. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the REST API endpoints if possible and monitor for suspicious activity related to password resets. Avoid using affected versions of the plugin in production environments.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-08-20T21:29:49.417Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68dfb275c3835a5fbe033c50
Added to database: 10/3/2025, 11:24:37 AM
Last enriched: 4/9/2026, 6:10:39 PM
Last updated: 5/9/2026, 10:51:56 PM
Views: 131
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.