2 matches found
CVE-2021-24655
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password to an arbitrary value of any user knowing only their ID, and gain access to their account...
CVE-2021-24655
The WP User Manager WordPress plugin (≤ 2.6.3) has a vulnerability where the password reset mechanism does not verify that the reset key maps to the targeted user ID. An authenticated attacker who knows a user’s ID can reset that user’s password to an arbitrary value, gaining account access. A pa...