Profile Builder Plugin - Authentication Bypass (CVE-2021-24527)

CVE-2021-24527 is a critical vulnerability in the User Registration & User Profile – Profile Builder WordPress plugin prior to version 3.4.9, allowing any user to reset the admin password and gain unauthorized access due to a flaw in reset key validation. Attackers can exploit this bug to take over WordPress sites without alerting the administrator, as no notification is sent when the password is changed.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2021-24527 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec data also reveals a clear uptick in attacks involving CVE-2021-24527 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the password reset functionality by sending crafted requests to endpoints with a ?key=<a> parameter, allowing them to reset passwords for arbitrary users, including administrators, without authentication. This activity typically targets URLs associated with the Profile Builder plugin, such as /wp-content/plugins/profile-builder/ or any path containing ?key=<a>.