Introduction
Attackers can seize administrative control of WordPress sites running the Appy Pie Connect for WooCommerce plugin by exploiting a critical flaw that lets them reset any user's password without authentication. For e-commerce operators and site owners, this means a single unauthenticated request could result in total site compromise and data loss.
Appy Pie is a global no-code platform provider with a wide range of website and business automation tools. Their Connect for WooCommerce plugin is a specialized integration for WordPress e-commerce deployments. The company claims SOC 2 and ISO 27001 certifications and serves thousands of customers worldwide, making vulnerabilities in their products highly impactful for the WordPress and WooCommerce ecosystem.
Technical Information
CVE-2025-9286 is a privilege escalation vulnerability in the Appy Pie Connect for WooCommerce plugin for WordPress. The flaw is present in all versions up to and including 1.1.2. The vulnerability is rooted in the reset_user_password() REST handler, which is implemented in the plugin's connect-woocommerce-rest-api.php file.
The core issue is the absence of any authorization or authentication checks before processing password reset requests. The handler is exposed via the WordPress REST API and accepts HTTP POST requests that specify a username and a new password. Because there is no verification of the requester's identity or privileges, any unauthenticated actor can submit a crafted request to this endpoint and reset the password for any user, including those with administrator privileges.
This is a classic instance of CWE-620 (Unverified Password Change), where an application allows password changes without verifying the user's identity. The impact is immediate and severe: attackers can gain full administrative access to the affected WordPress site, install malicious plugins, exfiltrate data, or deface the site.
No public code snippets or proof-of-concept exploit code were found in the referenced sources. The vulnerable handler is documented in the plugin's source code:
Affected Systems and Versions
- Product: Appy Pie Connect for WooCommerce plugin for WordPress
- Affected versions: All versions up to and including 1.1.2
- Vulnerable configuration: Any WordPress installation with this plugin activated and accessible REST API endpoints
Vendor Security History
Appy Pie claims SOC 2 and ISO 27001 certifications and documents standard security controls for their platform. No prior public record of similar vulnerabilities in this plugin was found in the provided sources. The presence of this vulnerability, however, indicates a lack of secure coding review for REST API endpoints in this product.
