CVE-2025-3924

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the ‘valid_email’ value based solely on a supplied username parameter, without verifying that the requester is associated with that user account. This allows unauthenticated attackers to enumerate email addresses for any user, including administrators.

More information : https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L1483