WordPress Plugin Vulnerabilities

SignUp & SignIn <= 1.0.0 - Unauthenticated Account Takeover via Password Reset

Description

The plugin does not properly validate a password reset request, which could allow unauthenticated attackers to change the password of any user, including administrators, leading to a full account takeover.

Affects Plugins

Plugin icon
signup-signin
No known fix

References

CVE
CVE-2026-12417
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a617fc-da3d-4828-b027-44093dd11769

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Alyudin Nafiie
Verified
No
WPVDB ID
6a67cf38-9afd-4f2d-9fd8-06d0377b7096

Timeline

Publicly Published
2026-06-23 (about 7 days ago)
Added
2026-06-23 (about 6 days ago)
Last Updated
2026-06-23 (about 6 days ago)

Other

Published
Title
Published
2026-03-17
Title
KiviCare – Clinic & Patient Management System (EHR) < 4.1.3 - Unauthenticated Authentication Bypass via Social Login Token
Published
2016-05-31
Title
Stream <= 3.0.5 - Unauthenticated Events Export
Published
2024-11-05
Title
Social Share, Social Login and Social Comments Plugin – Super Socializer < 7.14 - Authentication Bypass
Published
2025-07-03
Title
WP Compress < 6.30.31 - Unauthenticated Broken Authentication
Published
2026-06-22
Title
User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation