CVE-2026-25654

A vulnerability has been identified in SINEC NMS All versions V4.0 SP3. Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the...

CVE-2024-10215

The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

CVE-2024-10215 WPBookit <= 1.6.4 - Unauthenticated Arbitrary User Password Change

The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

PT-2025-1579 · WordPress · Wpbookit

Name of the Vulnerable Software and Affected Versions: WPBookit plugin for WordPress versions up to, and including, 1.6.4 Description: The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change. This is due to the plugin providing user-controlled access to objects, letting ...

PT-2024-16328 · WordPress · Registrationmagic

Name of the Vulnerable Software and Affected Versions: RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress versions up to, and including, 6.0.2.6 Description: The issue is due to the plugin not properly validating the password reset token prior to...

CVE-2024-9862 Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and t...

CVE-2024-9862

The CVE-2024-9862 entry concerns the Miniorange OTP Verification with Firebase plugin for WordPress. Affects versions up to and including 3.6.0 where user-controlled access to objects and a missing current-password check enable unauthenticated password changes, potentially allowing administrator ...

CVE-2024-9862 Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and t...

CVE-2023-49589

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this...

WWBN AVideo userRecoverPass.php recoverPass generation insufficient entropy vulnerability

Talos Vulnerability Report TALOS-2023-1896 WWBN AVideo userRecoverPass.php recoverPass generation insufficient entropy vulnerability January 10, 2024 CVE Number CVE-2023-49589 SUMMARY An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of...

Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin

On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our...

WordPress LearnDash LMS 4.6.0 Insecure Direct Object Reference

Description: LearnDash LMS = 4.6.0 – Authenticated Subscriber+ Insecure Direct Object Reference to Arbitrary User Password Change Affected Plugin: LearnDash LMS Plugin Slug: sfwd-lms Affected Versions: = 4.6.0 CVE ID: CVE-2023-3105 CVSS Score: 8.8 High CVSS Vector:...

CVE-2022-3930 Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own...

GHSA-WM7G-RMGG-9837 GeniXCMS Arbitrary User Password Reset Vulnerability

forgotpassword.php in GeniXCMS lacks a rate limit, which might allow remote attackers to cause a denial of service login inability or possibly conduct Arbitrary User Password Reset attacks via a series of requests...

CVE-2017-8827

forgotpassword.php in GeniXCMS 1.0.2 lacks a rate limit, which might allow remote attackers to cause a denial of service login inability or possibly conduct Arbitrary User Password Reset attacks via a series of requests...

Default credentials

forgotpassword.php in GeniXCMS 1.0.2 lacks a rate limit, which might allow remote attackers to cause a denial of service login inability or possibly conduct Arbitrary User Password Reset attacks via a series of requests...

CVE-2017-8827

CVE-2017-8827 affects GeniXCMS 1.0.2: the forgotpassword.php endpoint lacks rate limiting, enabling a remote attacker to cause login denial of service or potentially perform arbitrary user password reset attacks via repeated requests. The available connected documents corroborate the same descrip...

CVE-2016-1543

The RPC API in the RSCD agent in BMC BladeLogic Server Automation BSA 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and reset arbitrary user passwords by sending an action packet to xmlrpc after an authorization failure...

PhpcmsV9 arbitrary user password modification logic vulnerability-vulnerability warning-the black bar safety net

I actually sent the first vulnerability, see Tick: PhpcmsV9 SQL injection 2 0 1 3-year new year the first Mentioned pass code: parsestrsysauth$POST'data', 'DECODE', $this-applist$this-appid'authkey', $this-data; In phpssoserver/phpcms/modules/phpsso/classes/phpsso. class. php. I leave it up to yo...

HDWiki 5.1 arbitrary User Password Change vulnerability and fix-vulnerability warning-the black bar safety net

HDWiki reset the password there is a logical vulnerability, the attacker can modify any user password. Detailed description: control/user.php function dogetpass ...... elseifisset$this-post'verifystring' $uid=$this-post'uid'; $encryptstring=$this-post'verifystring';...