{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6027", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-06-12T12:45:31.146Z", "datePublished": "2025-11-05T06:00:07.919Z", "dateUpdated": "2026-04-02T12:39:55.948Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:55.948Z"}, "title": "Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest", "problemTypes": [{"descriptions": [{"description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Ace User Management", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "2.0.3"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators."}], "references": [{"url": "https://wpscan.com/vulnerability/06fb8088-10e3-424e-a3ac-4673bac49467/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "aschoiloa1890", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T18:35:13.154592Z", "id": "CVE-2025-6027", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T18:35:20.331Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-6027", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T18:35:13.154592Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T18:31:43.524Z"}}], "cna": {"title": "Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "aschoiloa1890"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Ace User Management", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.3"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/06fb8088-10e3-424e-a3ac-4673bac49467/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:55.948Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6027", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:55.948Z", "dateReserved": "2025-06-12T12:45:31.146Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-11-05T06:00:07.919Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators."}], "id": "CVE-2025-6027", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-05T06:15:34.373", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/06fb8088-10e3-424e-a3ac-4673bac49467/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:24:20.241726+00:00", "value": {"mitigation_remediation": ["Upgrade Ace User Management to the latest available version where the token\u2011validation bug is fixed.", "Force all users to reset their passwords or otherwise invalidate existing reset tokens to eliminate any compromised credentials.", "Temporarily disable the password\u2011reset functionality (e.g., via a plugin setting or WordPress hook) until the update is applied and monitor logs for unauthorized changes."], "summary": {"action": "Update Plugin", "impact": "Privileged Account Compromise via Password Reset"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Ace User Management plugin with a version of 2.0.3 or earlier. The plugin is the sole product affected; no other WordPress components are implicated.", "description_and_impact": "The Ace User Management plugin for WordPress version 2.0.3 and earlier fails to verify that a password\u2011reset token is linked to the user making the request, allowing any authenticated user, such as a subscriber, to reset the passwords of arbitrary accounts, including administrators. This flaw enables an attacker to gain full control of privileged accounts by simply entering a new password for the target. The vulnerability corresponds to a missing authorization weakness (CWE\u2011285) and is assigned a CVSS score of 6.3, indicating moderate severity.", "risk_and_exploitability": "The CVSS score of 6.3 reflects moderate risk. The EPSS score of less than 1% indicates that, at present, the probability of exploitation is low, and the flaw is not listed in the CISA KEV catalog. An attacker must be authenticated and able to submit the password\u2011reset form; no special code injection or remote code execution is required. Once an authenticated session exists, the exploit can be performed by instructing the site to reset any user\u2019s password, making this a relatively straightforward privilege escalation vector."}}}}, "created": "2025-11-06T10:07:18.739052+00:00", "updated": "2026-04-28T10:30:29.019466+00:00", "vendors": ["acewebx", "acewebx$PRODUCT$ace_user_management", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-285"]}