Arbitrary Password Reset Vulnerability in WP User Manager WordPress Plugin

Arbitrary Password Reset Vulnerability in WP User Manager WordPress Plugin

CVE-2021-24655 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Learn more about our Wordpress Pen Testing.