WordPress Plugin Vulnerabilities

WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

Description

The plugin does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Proof of Concept

Affects Plugins

Plugin icon
wp-user-manager
Fixed in 2.6.3

References

CVE
CVE-2021-24655

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.8 (high)

Miscellaneous

Original Researcher
AyeCode Ltd
Submitter
Stiofan
Submitter website
https://ayecode.io/
Submitter twitter
_stiofan
Verified
Yes
WPVDB ID
cce03550-7f65-4172-819e-025755fb541f

Timeline

Publicly Published
2021-09-22 (about 4 years ago)
Added
2021-09-22 (about 4 years ago)
Last Updated
2023-02-03 (about 2 years ago)

Other

Published
Title
Published
2024-10-16
Title
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors < 4.7.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Published
2024-03-13
Title
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form < 2.10.2 - Unauthenticated Insecure Direct Object Reference to Form Submission Alteration
Published
2024-02-26
Title
User Shortcodes Plus <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode
Published
2022-12-13
Title
WPQA < 5.9.3 - Missing validation lead to functionality abuse
Published
2025-11-18
Title
SiteSEO – SEO Simplified < 1.3.3 - Sensitive Post Meta Disclosure via IDOR