GHSA-9QV9-8XV6-5P35 phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

Summary The password reset API can be triggered without authentication and without any out-of-band confirmation step. If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and...

EUVD-2026-30185

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockouthandler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword...

EUVD-2026-14015

The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for...

CVE-2026-23813

CVE-2026-23813 pertains to Aruba AOS-CX switches, where the web-based management interface may allow an unauthenticated remote actor to bypass authentication and potentially reset the admin password. Technical details across sources confirm an authentication bypass with high impact (CVE-2026-2381...

CVE-2025-15030 User Profile Builder < 3.15.2 - Unauthenticated Arbitrary Password Reset

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account...

CVE-2023-53964

The CVE-2023-53964 entry concerns SOUND4 IMPACT/FIRST/PULSE/Eco v2.x. The vulnerability is an unauthenticated factory-reset flaw in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to trigger a device factory reset by sending a crafted POST request, bypassing authenticati...

CVE-2025-12696 HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset

The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them...

CVE-2025-12579 Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset

The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings...

CVE-2025-12157

CVE-2025-12157 concerns the WordPress plugin Simple User Capabilities . The connected documents confirm an unauthenticated modification risk due to a missing permission check on the AJAX endpoint wp_ajax_nopriv_reset_capability , affecting versions up to and including 1.0 . This can allow an unau...

CVE-2025-9893

The vulnerability CVE-2025-9893 affects the VM Menu Reorder plugin for WordPress (Product: VM Menu Reorder plugin). The issue is Cross-Site Request Forgery (CSRF) in versions up to and including 1.0.0, caused by missing or incorrect nonce validation on the vm_set_to_default function. This weaknes...

WordPress plugin Frontend Dashboard 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An authorization issue...

PT-2025-7345 · WordPress · Raptive Ads

Name of the Vulnerable Software and Affected Versions: Raptive Ads plugin for WordPress versions up to, and including, 3.6.3 Description: The issue is related to a missing capability check on the site ads files reset and cls file reset functions. This allows unauthenticated attackers to reset the...

PT-2024-28644 · Insyde · Insyde Ihisi

Name of the Vulnerable Software and Affected Versions: Insyde IHISI versions prior to kernel 5.2 version 05.29.19 Insyde IHISI versions prior to kernel 5.3 version 05.38.19 Insyde IHISI versions prior to kernel 5.4 version 05.46.19 Insyde IHISI versions prior to kernel 5.5 version 05.54.19 Insyde...

PT-2024-12466 · WordPress · The Bricks

Name of the Vulnerable Software and Affected Versions: The Bricks theme for WordPress versions up to, and including, 1.8.1 Description: The issue is due to missing or incorrect nonce validation on the reset settings function, making it possible for unauthenticated attackers to reset the theme's...

PT-2024-27925 · R Hub · R-Hub Turbomeeting

Name of the Vulnerable Software and Affected Versions: R-HUB TurboMeeting versions through 8.x Description: The password-reset mechanism in the Forgot Password functionality allows unauthenticated remote attackers to force the application into resetting the administrator's password to a random...

CVE-2023-5611

The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them...

PT-2023-32213 · WordPress · Seraphinite Accelerator

Name of the Vulnerable Software and Affected Versions: Seraphinite Accelerator WordPress plugin versions prior to 2.20.32 Description: The issue concerns a lack of authorization and CSRF checks in the Seraphinite Accelerator WordPress plugin when resetting and importing its settings. This allows...

WordPress plugin Seraphinite Accelerator security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability previously...

PT-2023-11366 · WordPress · The Coming Soon Page & Maintenance Mode

Name of the Vulnerable Software and Affected Versions: The Coming Soon Page & Maintenance Mode plugin for WordPress versions up to, and including 1.8.1 Description: The issue is related to missing capability checks in the /functions/data-reset-post.php file, allowing unauthenticated attackers to...

Optilink Network OP-XT71000N 跨站请求伪造漏洞

The Optilink Network OP-XT71000N is a wireless router from Optilink Network India. A cross-site request forgery vulnerability exists in the Optilink Network OP-XT71000N version V2.2, which stems from a vulnerability that allows an unauthenticated, remote attacker to reset the ONU to factory...