CVE-2025-6027

MEDIUM 6.3

Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest

CVSS Score

6.3

EPSS Score

0.1%

EPSS Percentile

20th

The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators.

Vendor	unknown
Product	ace user management
Published	Nov 5, 2025
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown ace user management

Be the first to know when new medium vulnerabilities affecting unknown ace user management are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Ace User Management

0 ≤ 2.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/06fb8088-10e3-424e-a3ac-4673bac49467/

Credits

aschoiloa1890 WPScan