CVE-2021-24655

WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

EPSS 0.8%CWE-639

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

17 jul 2022Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Produtos afetados

Unknown · WP User Manager – User Profile Builder & Membership

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f