CVE-2025-15030 – The User Profile Builder WordPress plugin befor... (How to Fix)

Q: What is the severity of CVE-2025-15030?

CVE-2025-15030 has a CVSS score of 9.8 (CRITICAL). The User Profile Builder WordPress plugin before version 3.15.2 has an improper password reset mechanism that allows unauthenticated attackers to reset any user's password by knowing their username. This affects all WordPress sites using vulnerable versions of this plugin, potentially allowing complete site takeover.

📋 TL;DR

The User Profile Builder WordPress plugin before version 3.15.2 has an improper password reset mechanism that allows unauthenticated attackers to reset any user's password by knowing their username. This affects all WordPress sites using vulnerable versions of this plugin, potentially allowing complete site takeover.

💻 Affected Systems

Products:

User Profile Builder WordPress plugin

Versions: All versions before 3.15.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of WordPress site including administrator accounts, leading to data theft, defacement, malware injection, or ransomware deployment.

🟠

Likely Case

Administrator account takeover leading to unauthorized content changes, plugin/theme installation, or user data access.

🟢

If Mitigated

Limited impact if strong network controls prevent external access or if multi-factor authentication is enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only username knowledge and basic HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.15.2

Vendor Advisory: https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find User Profile Builder plugin. 4. Click 'Update Now' if available. 5. If no update shows, manually download version 3.15.2+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable User Profile Builder plugin until patched

wp plugin deactivate user-profile-builder

Restrict password reset endpoint

all

Block access to password reset functionality via web application firewall

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious password reset requests
Enable multi-factor authentication for all administrator accounts

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get user-profile-builder --field=version

Verify Fix Applied:

Confirm User Profile Builder plugin version is 3.15.2 or higher

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts for admin/privileged users
Successful password resets from unfamiliar IP addresses
Unusual user agent strings in password reset requests

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=wppb_send_credentials_recovery
Multiple password reset requests from single IP

SIEM Query:

source="wordpress.log" AND ("wppb_send_credentials_recovery" OR "password reset" OR "recover credentials")

📊 Metadata

CVE ID: CVE-2025-15030

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/