CVE-2025-9286CRITICAL 9.8EPSS p34.0%

CVE-2025-9286CVE-2025-9286

Description

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.0% · 2026-06-19T12:03:05Z
Published2025-10-03
Last modified2026-04-15

Underlying weaknesses· 1

CWE-620

References

  1. https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php
  2. https://plugins.trac.wordpress.org/changeset/3385150/
  3. https://wordpress.org/plugins/appy-pie-connect-for-woocommerce/
  4. https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve

1

TypeTargetConfidenceTier
WeaknessUnverified Password Changecwe-6200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-6993
CVE
CVE-2025-7695
CVE
CVE-2025-14975
CVE
CVE-2025-5288
CVE
CVE-2025-4104
CVE
CVE-2025-11457
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.