WordPress Plugin Vulnerabilities

iThemes Security < 7.7.0 - New-Password Requirements Not Enforced Until second Login

Description

The plugin did not enforce new-password requirements for existing accounts until the second login occurred, which could leave an account configured with a potentially weak password until the user changes it

Affects Plugins

Plugin icon
ithemes
No known fix

References

CVE
CVE-2020-36176

Miscellaneous

Verified
No
WPVDB ID
7f45c02a-9b41-483e-80f3-fb51b1519487

Timeline

Publicly Published
2021-01-06 (about 5 years ago)
Added
2021-06-28 (about 4 years ago)
Last Updated
2022-01-02 (about 4 years ago)

Other

Published
Title
Published
2024-07-11
Title
Wallet System for WooCommerce < 2.5.14 - Information Exposure via Log Files
Published
2014-08-01
Title
Paid Memberships Pro 1.4.7 - adminpages/memberslist-csv.php Direct Request Member Personal Information Disclosure
Published
2019-07-01
Title
Easy Forms for Mailchimp < 6.5.3 - Code Injection
Published
2025-10-14
Title
Binary MLM Plan < 5.0 - Unauthenticated Limited Privilege Escalation
Published
2014-08-01
Title
Yoast SEO - Security issue which allowed any user to reset settings