CVE-2026-35671

phpMyFAQ is affected by an insecure direct object reference (IDOR) in the admin API: overwrite-password allows changing any user’s password when the requester is an authenticated admin with USER_EDIT permission. The root causes cited are: (1) no verification that the requesting admin may modify t...

EUVD-2020-9831

Malware in sbrugna...

EUVD-2017-10566

Malware in sbrugna...

EUVD-2020-3200

Malware in sbrugna...

EUVD-2018-4499

Malware in sbrugna...

EUVD-2014-6289

Malware in sbrugna...

EUVD-2020-18616

Malware in sbrugna...

EUVD-2022-53219

Malicious code in bioql PyPI...

EUVD-2024-49055

Malicious code in bioql PyPI...

EUVD-2023-43792

Malicious code in bioql PyPI...

PT-2025-39966

Name of the Vulnerable Software and Affected Versions PAD CMS affected versions not specified Description The software improperly initializes a parameter used during the password recovery process. This allows an attacker to change the password for any user who has not utilized the password reset...

CVE-2020-13157

modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users=edit= URI. The old password is not needed...

CVE-2020-10787

An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password aka the user password change script...

CVE-2012-6508

Multiple cross-site request forgery CSRF vulnerabilities in NetArt Media Car Portal 3.0 allow remote attackers to hijack the authentication of administrators for requests that 1 change arbitrary user passwords via a nouveau action in the security module to cars/ADMIN/index.php; 2 create a user or...

Ensure That Old Passwords Are Verified When Users Change Them

To prevent a third party from maliciously changing the password of another user, the old password must be verified when a user changes the password. According to the common practice in the industry, the old password does not need to be verified when the root user changes its own password. The roo...

WordPress plugin Civi 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-12876

CVE-2024-12876 affects the Golo – City Travel Guide WordPress Theme (WordPress theme). The issue is privilege escalation via account takeover: an unauthenticated attacker can change arbitrary user passwords (including administrators) due to improper validation of user identity before password upd...

CVE-2024-12860

CVE-2024-12860 refers to the CarSpot – Dealership WordPress Classified Theme. The vulnerability allows unauthenticated privilege escalation via account takeover because the plugin does not properly validate a token before updating a user’s password. The issue affects CarSpot up to and including v...

CVE-2024-10215

The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

CVE-2024-26271

Cross-site request forgery CSRF vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to 1 change us...