CVE-2021-24655 WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

2022-07-1710:35:28

CWE-639

WPScan

www.cve.org

0.001 Low

EPSS

Percentile

43.1%

JSON

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

CNA Affected

[
  {
    "product": "WP User Manager – User Profile Builder & Membership",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.6.3",
        "status": "affected",
        "version": "2.6.3",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f

0.001 Low

EPSS

Percentile

43.1%

JSON

Related for CVELIST:CVE-2021-24655