WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

The plugin does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

PoC

User registration must be enabled or you must already have at least a subscriber level account. 1. Request a password reset via the reset form of the plugin and with your user email address https://example.com/password-reset/ (must be logged out). 2. Open the link in the password reset email. 3. Enter the password you wish to use twice as directed. 4. Edit the HTML of the form (not the URL) and change the user_id=1 to the user you wish to reset the password of. eg: