WordPress Plugin Vulnerabilities

AllCoach < 1.0.2 - Unauthenticated Account Takeover

Description

The plugin does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.

Proof of Concept

Affects Plugins

Fixed in 1.0.2

References

Classification

Miscellaneous

Original Researcher
Pedro Pinho
Submitter
Pedro Pinho
Verified
Yes

Timeline

Publicly Published
2026-06-15 (about 22 days ago)
Added
2026-06-15 (about 21 days ago)
Last Updated
2026-07-06 (about 11 hours ago)

Other