WordPress Plugin Vulnerabilities
AllCoach < 1.0.2 - Unauthenticated Account Takeover
Description
The plugin does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Pedro Pinho
Submitter
Pedro Pinho
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-15 (about 22 days ago)
Added
2026-06-15 (about 21 days ago)
Last Updated
2026-07-06 (about 11 hours ago)