CVE-2021-24655
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS —EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
17 jul 2022Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
Productos afectados
Unknown · WP User Manager – User Profile Builder & Membership¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →