CRITICAL🇵🇱 Wersja polska

CVE-2025-9286

CVSS 9.8v3.1pub. 2025-10-03upd. 2026-04-15

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.

🤖 AI Analysis
How it works

In the REST API handler module — specifically in the reset_user_password() function — there is missing authorization verification. This means that the REST endpoint is accessible without authentication to anyone who sends a properly crafted HTTP request. An attacker can specify any user, including an administrator, and reset their password, then log in to the compromised account.

Impact

An attacker without any permissions can gain full administrative access to the WordPress website, enabling complete takeover of the service, its content, and user data.

Mitigation & patch

The plugin should be immediately updated to a version higher than 1.1.2. A patch is available in the official WordPress plugin repository (changeset 3385150). If an update is not possible immediately, it is recommended to deactivate the plugin until the fix is deployed.

Who is affected

Appy Pie Connect for WooCommerce plugin for WordPress — all versions up to and including 1.1.2.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References