CVE-2025-9286
Published: 03 October 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-9286 is a privilege escalation vulnerability in the Appy Pie Connect for WooCommerce plugin for WordPress, affecting all versions up to and including 1.1.2. The issue stems from missing authorization checks within the reset_user_password() REST API handler, which allows unauthorized password resets for any user account.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required, as indicated by the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a base score of 9.8. Exploitation enables attackers to reset passwords for arbitrary users, including administrators, granting them full administrative access to the WordPress site (CWE-620).
Mitigation details are available in related advisories and resources, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve, the plugin's WordPress.org page at https://wordpress.org/plugins/appy-pie-connect-for-woocommerce/, and the vulnerable source code at https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated exploitation of a public-facing WordPress plugin REST API enables initial access (T1190) and privilege escalation to admin via unauthorized password resets (T1068).