Description
The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
Published: 2025-10-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthenticated Password Reset
Action: Patch Immediately
AI Analysis

Impact

A missing authorization check in the reset_user_password REST handler of the Appy Pie Connect for WooCommerce plugin allows an attacker to reset the password of any user, including administrators. This results in full administrative access once the new password is set. Based on the description, it is inferred that this flaw is a classic authorization bypass (CWE‑620).

Affected Systems

The vulnerability affects the Appy Pie Connect for WooCommerce WordPress plugin supplied by hancock11. All releases up to and including version 1.1.2 are impacted; later releases are not affected.

Risk and Exploitability

The CVSS score of 9.8 classifies the flaw as critical, while the EPSS score of less than 1% indicates a low current exploitation probability. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves sending a crafted HTTP request to the WordPress REST API endpoint that handles password resets, with no authentication or other prerequisites required, allowing any internet‑accessible attacker to compromise accounts.

Generated by OpenCVE AI on April 21, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Appy Pie Connect for WooCommerce plugin to the latest version (1.1.3 or newer).
  • If an upgrade is not feasible, disable or remove the reset_user_password REST endpoint.
  • Force a password reset for all existing users or revoke existing passwords.
  • Restrict REST API access to authenticated or trusted IP ranges, or require authentication for all endpoints to prevent similar weaknesses.

Generated by OpenCVE AI on April 21, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32280 The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Hancock11
Hancock11 appy Pie Connect For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Hancock11
Hancock11 appy Pie Connect For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
Title Appy Pie Connect for WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hancock11 Appy Pie Connect For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:14.529Z

Reserved: 2025-08-20T21:29:49.417Z

Link: CVE-2025-9286

cve-icon Vulnrichment

Updated: 2025-10-03T18:02:59.160Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:47.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses