CVE-2025-9286 PUBLISHED

Appy Pie Connect for WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password

Assigner: Wordfence
Reserved: 20.08.2025 Published: 03.10.2025 Updated: 03.10.2025

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	hancock11
Product	Appy Pie Connect for WooCommerce
Versions	Default: unaffected affected from * to 1.1.2 (incl.)

CVE-2025-9286 PUBLISHED

Appy Pie Connect for WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password

Metrics

Product Status

Credits

References

Problem Types