CVE-2026-5076

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the armresetpasswordkey user meta field when a user requests a password reset. This is in...

CVE-2025-12845

CVE-2025-12845 refers to the WordPress plugin Tablesome Table – Contact Form DB (WPForms, CF7, Gravity, Forminator, Fluent) with versions 0.5.4–1.2.1. According to Wordfence, it allows unauthorised access to plugin data and can lead to privilege escalation due to a missing capability check in get...

CVE-2025-15018

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'randompassword' filter to registration contexts, allowing the filter to affect password reset key...

CVE-2025-15018 Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'randompassword' filter to registration contexts, allowing the filter to affect password reset key...

CVE-2025-15018

CVE-2025-15018: Affects Optional Email plugin for WordPress. Root cause: the plugin does not restrict its 'random_password' filter to registration contexts, allowing it to influence password reset key generation. Impact: unauthenticated attackers can set a known password reset key during password...

CVE-2024-51478

YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5...

Password Reset Attack

yeswiki/yeswiki is vulnerable to weak cryptographic algorithm. The vulnerability is due to poor cryptographic practices, specifically the use of a weak cryptographic algorithm and a hard-coded salt for hashing the password reset key, allowing attackers to recover the reset key and gain unauthoriz...

CVE-2023-2297

The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function...

LY Corporation: Password reset by malicious input on air.line.me

Due to the bug in the account verification process in the password reset function of air.line.me, it was possible to change other's passwords if a temporary password reset key was set to a space...