Profile Builder Plugin - Authentication Bypass (CVE-2021-24527)

CVE-2021-24527 is a critical vulnerability in the User Registration & User Profile – Profile Builder WordPress plugin prior to version 3.4.9, allowing any user to reset the admin password and gain unauthorized access due to a flaw in reset key validation. Attackers can exploit this bug to take over WordPress sites without alerting the administrator, as no notification is sent when the password is changed.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

CrowdSec network observations suggest that most exploitation of CVE-2021-24527 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2021-24527. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the password reset functionality by sending crafted requests to endpoints with a ?key=<a> parameter, allowing them to reset passwords for arbitrary users, including administrators, without authentication. This activity typically targets URLs associated with the Profile Builder plugin, such as /wp-content/plugins/profile-builder/ or any path containing ?key=<a>.