CVE-2024-1290

2024-03-1118:15:18

[email protected]

web.nvd.nist.gov

cve-2024-1290

wordpress

plugin

user registration

security vulnerability

contributor role

shortcode

password reset

account takeover

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

Affected configurations

Vulners

Node

user_registration_\&_user_management_system_projectuser_registration_\&_user_management_systemRange<2.12

VendorProductVersionCPE
wpeverestuser_registration*cpe:2.3:a:wpeverest:user_registration:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wpeverest	user_registration	*	cpe:2.3:a:wpeverest:user_registration::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "User Registration",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.12"
      }
    ],
    "defaultStatus": "unaffected"
  }
]