CVE-2025-9286

CRITICAL

Appy Pie Connect <1.1.2 - Privilege Escalation

Title source: llm

Description

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.

Exploits (2)

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-9286

View Code ZIP pw:eip

github WORKING POC

by Nxploited · pythonpoc

https://github.com/Nxploited/CVE-2025-9286

View Code ZIP pw:eip

References (4)

[Product] https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php

[Product] https://wordpress.org/plugins/appy-pie-connect-for-woocommerce/

https://plugins.trac.wordpress.org/changeset/3385150/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve

Scores

CVSS v3 9.8

EPSS 0.0027

EPSS Percentile 50.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-620

Status published

Products (1)

hancock11/Appy Pie Connect for WooCommerce < 1.1.2

Published Oct 03, 2025

Tracked Since Feb 18, 2026