WordPress Plugin Vulnerabilities

WP User Control <= 1.5.3 - Unauthenticated password reset

Description

The WP User Control plugin for WordPress is vulnerable to unauthorized password resets due to the plugin using native password reset functionality. It is worth mentioning that the new password is only sent to the affected user's email, not being leaked to the attacker.

Affects Plugins

Plugin icon
wp-user-control
No known fix

References

CVE
CVE-2023-4915

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
67dd95a9-72ab-4837-a64a-6a0e749a0566

Timeline

Publicly Published
2023-09-12 (about 2 years ago)
Added
2023-09-20 (about 2 years ago)
Last Updated
2023-09-20 (about 2 years ago)

Other

Published
Title
Published
2025-01-14
Title
Setup Default Featured Image < 1.3 - Missing Authorization
Published
2024-09-03
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Missing Authorization to Admin Username Change
Published
2025-05-16
Title
Pinterest Automatic Pin <= 4.19.0 - Missing Authorization
Published
2026-02-23
Title
Directory Pro <= 2.5.6 - Missing Authorization
Published
2024-06-06
Title
Copymatic – AI Content Writer & Generator < 2.0 - Missing Authorization