
CVE-2025-3844 – PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Authentication Bypass to Account Takeover
https://notcve.org/view.php?id=CVE-2025-3844
06 May 2025 — The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators. • https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L1483 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-3924 – PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Missing Authorization to Unauthenticated Email Enumeration
https://notcve.org/view.php?id=CVE-2025-3924
06 May 2025 — The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'valid_email' value based solely on a supplied username parameter, without verifying that the requester is associated with that user account. This allows unauthenticated attackers to enumerate email addresses for any user, including administrators. • https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L1483 • CWE-285: Improper Authorization •

CVE-2025-3921 – PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update via handel_ajax_req Function
https://notcve.org/view.php?id=CVE-2025-3921
06 May 2025 — The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0. • https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L1483 • CWE-285: Improper Authorization •

CVE-2024-13719 – PeproDev Ultimate Invoice <= 2.0.8 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure
https://notcve.org/view.php?id=CVE-2024-13719
18 Feb 2025 — The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users. • https://wordpress.org/plugins/pepro-ultimate-invoice • CWE-862: Missing Authorization •

CVE-2024-8873 – PeproDev WooCommerce Receipt Uploader <= 2.6.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8873
15 Nov 2024 — The PeproDev WooCommerce Receipt Uploader plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PeproDev WooCommerce Receipt Uploader plugin for WordPress is vulnerable to Refle... • https://plugins.trac.wordpress.org/browser/pepro-bacs-receipt-upload-for-woocommerce/trunk/wc-upload-reciept.php#L163 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2023-41863 – WordPress PeproDev CF7 Database Plugin <= 1.7.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41863
05 Sep 2023 — Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Pepro Dev. Group PeproDev CF7 Database plugin <= 1.7.0 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenada No Autenticada en el complemento de Pepro Dev. Group PeproDev CF7 Database en versiones <= 1.7.0. • https://patchstack.com/database/vulnerability/pepro-cf7-database/wordpress-peprodev-cf7-database-plugin-1-7-0-unauthenticated-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •